ITS#6518 When using proxyauthz, replace existing control

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 8ce4bb7302fabdd42e6bf0e3c354ae0cbb4123f7..b948dc37b62e35d512a7fb409f7fd449cd3ac1f0 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2803,7 +2803,7 @@ ldap_back_controls_add(
        LDAPControl     **ctrls = NULL;
        /* set to the maximum number of controls this backend can add */
        LDAPControl     c[ 2 ] = { { 0 } };
-       int             n = 0, i, j1 = 0, j2 = 0;
+       int             n = 0, i, j1 = 0, j2 = 0, skipped = 0;
 
        *pctrls = NULL;
 
@@ -2893,12 +2893,21 @@ ldap_back_controls_add(
 
        i = 0;
        if ( op->o_ctrls ) {
+               LDAPControl *proxyauthz = ldap_control_find(
+                               LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
+
                for ( i = 0; op->o_ctrls[ i ]; i++ ) {
-                       ctrls[ i + j1 ] = op->o_ctrls[ i ];
+                       if ( proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
+                               /* Frontend has already checked only one is present */
+                               assert( skipped == 0 );
+                               skipped++;
+                               continue;
+                       }
+                       ctrls[ i + j1 - skipped ] = op->o_ctrls[ i ];
                }
        }
 
-       n += j1;
+       n += j1 - skipped;
        if ( j2 ) {
                ctrls[ n ] = (LDAPControl *)&ctrls[ n + j2 + 1 ] + j1;
                *ctrls[ n ] = c[ j1 ];