Fix issue with unauthorized idassert and DN rewrite

diff --git a/CHANGES b/CHANGES
index f5c02765030424e4e983b81ab092a545518c56f2..a52ea58741a3d88393e5c705f1b214ee769becfc 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,7 @@ OpenLDAP 2.3.35 Engineering
        Fixed zero-length IA5string handling (ITS#4823)
        Fixed slapd-bdb/hdb startup with missing shm env (ITS#4851)
        Fixed slapd-ldap/meta consistency in referral proxying (ITS#4861)
+       Fixed slapd-ldap bind cleanup in case of unauthorized idassert
        Fixed slapd-meta search cleanup
        Fixed slapd-meta/slapo-rwm filter mapping
        Fixed slapd-sql subtree shortcut (ITS#4856)

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index d4bb36ab8bf2d53816cbf9c5888e60728f44bc5a..d0ade056492c4bddcfced2f7be43b9b7c1d2136d 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -760,13 +760,13 @@ ldap_back_getconn(
                        op->o_ndn = op->o_req_ndn;
                }
                isproxyauthz = ldap_back_is_proxy_authz( op, rs, sendok, binddn, bindcred );
-               if ( isproxyauthz == -1 ) {
-                       return NULL;
-               }
                if ( op->o_tag == LDAP_REQ_BIND ) {
                        op->o_dn = save_o_dn;
                        op->o_ndn = save_o_ndn;
                }
+               if ( isproxyauthz == -1 ) {
+                       return NULL;
+               }
 
                lc_curr.lc_local_ndn = op->o_ndn;
                /* Explicit binds must not be shared;