From 493f638eb35be1fb960c44a63959aee41468d0b0 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Tue, 10 Jan 2006 02:27:00 +0000
Subject: [PATCH] backport ITS#4320 fix from HEAD

---
 CHANGES                  |  1 +
 servers/slapd/controls.c | 13 +++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 82acef9399..5aa177fbd9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,7 @@
 OpenLDAP 2.3 Change Log
 
 OpenLDAP 2.3.17 Engineering
+	Fixed slapd anonymous proxy authorization issue (ITS#4320)
 	Fixed slapd-ldap/meta session reuse issue (ITS#4315)
 	Fixed slapd-monitor thread issue (ITS#4318)
 	Build environment
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index 6d5bdcb1dc..f88ce1171b 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -844,6 +844,11 @@ static int parseProxyAuthz (
 		return LDAP_PROTOCOL_ERROR;
 	}
 
+	if ( BER_BVISEMPTY( &op->o_ndn ) ) {
+		rs->sr_text = "anonymous proxyAuthz not allowed";
+		return LDAP_PROXY_AUTHZ_FAILURE;
+	}
+
 	op->o_proxy_authz = ctrl->ldctl_iscritical
 		? SLAP_CONTROL_CRITICAL
 		: SLAP_CONTROL_NONCRITICAL;
@@ -860,10 +865,14 @@ static int parseProxyAuthz (
 			op->o_connid, 0, 0 );
 
 		/* anonymous */
-		op->o_ndn.bv_val[ 0 ] = '\0';
+		if ( !BER_BVISNULL( &op->o_ndn ) ) {
+			op->o_ndn.bv_val[ 0 ] = '\0';
+		}
 		op->o_ndn.bv_len = 0;
 
-		op->o_dn.bv_val[ 0 ] = '\0';
+		if ( !BER_BVISNULL( &op->o_dn ) ) {
+			op->o_dn.bv_val[ 0 ] = '\0';
+		}
 		op->o_dn.bv_len = 0;
 
 		return LDAP_SUCCESS;
-- 
2.39.5