From: Ondřej Kuzník <ondra@mistotebe.net>
Date: Mon, 1 Feb 2021 14:30:15 +0000 (+0000)
Subject: ITS#6518 When using proxyauthz, replace existing control
X-Git-Tag: OPENLDAP_REL_ENG_2_5_1ALPHA~11^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a02ae132dfbc4b244acc825d73006be1ed90f61;p=thirdparty%2Fopenldap.git

ITS#6518 When using proxyauthz, replace existing control
---

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 8ce4bb7302..b948dc37b6 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2803,7 +2803,7 @@ ldap_back_controls_add(
 	LDAPControl	**ctrls = NULL;
 	/* set to the maximum number of controls this backend can add */
 	LDAPControl	c[ 2 ] = { { 0 } };
-	int		n = 0, i, j1 = 0, j2 = 0;
+	int		n = 0, i, j1 = 0, j2 = 0, skipped = 0;
 
 	*pctrls = NULL;
 
@@ -2893,12 +2893,21 @@ ldap_back_controls_add(
 
 	i = 0;
 	if ( op->o_ctrls ) {
+		LDAPControl *proxyauthz = ldap_control_find(
+				LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
+
 		for ( i = 0; op->o_ctrls[ i ]; i++ ) {
-			ctrls[ i + j1 ] = op->o_ctrls[ i ];
+			if ( proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
+				/* Frontend has already checked only one is present */
+				assert( skipped == 0 );
+				skipped++;
+				continue;
+			}
+			ctrls[ i + j1 - skipped ] = op->o_ctrls[ i ];
 		}
 	}
 
-	n += j1;
+	n += j1 - skipped;
 	if ( j2 ) {
 		ctrls[ n ] = (LDAPControl *)&ctrls[ n + j2 + 1 ] + j1;
 		*ctrls[ n ] = c[ j1 ];