idassert also in case of SASL mechs that do not set authcId

diff --git a/CHANGES b/CHANGES
index ffe27ba5f22452e85969b991246f2c29c4e961d9..0c563211bf00e4ec1130ade89fe2b4a5c091679b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,7 @@ OpenLDAP 2.3.39 Engineering
        Fixed slapd password_hash config order (ITS#5082)
        Fixed slapd slap_mods_check bug (ITS#5119)
        Fixed slapd-bdb DB_CONFIG conversion bug (ITS#5118)
+       Fixed slapd-ldap SASL idassert w/o autchId
        Fixed slapd-sql concurrency issue (ITS#5095)
        Fixed slapo-pcache and -rwm interaction fix (ITS#4991) 
        Fixed slapo-rwm modlist handling (ITS#5124)

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index d0ade056492c4bddcfced2f7be43b9b7c1d2136d..52d8c7e2f10ffe489e360041cb3704111a51dccd 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2133,7 +2133,8 @@ ldap_back_proxy_authz_ctrl(
         * but if it is not set this test fails.  We need a different
         * means to detect if idassert is enabled */
        if ( ( BER_BVISNULL( &si->si_bc.sb_authcId ) || BER_BVISEMPTY( &si->si_bc.sb_authcId ) )
-                       && ( BER_BVISNULL( &si->si_bc.sb_binddn ) || BER_BVISEMPTY( &si->si_bc.sb_binddn ) ) )
+               && ( BER_BVISNULL( &si->si_bc.sb_binddn ) || BER_BVISEMPTY( &si->si_bc.sb_binddn ) )
+               && BER_BVISNULL( &si->si_bc.sb_saslmech ) )
        {
                goto done;
        }