From: Ondřej Kuzník <ondra@mistotebe.net>
Date: Wed, 10 Dec 2025 12:07:18 +0000 (+0000)
Subject: ITS#7347 Allow subtractive -a/z/i to work as expected
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93d7b9ef7af5747859b82f4326661728106b0149;p=thirdparty%2Fopenldap.git

ITS#7347 Allow subtractive -a/z/i to work as expected
---

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 6e841a7548..780bb21790 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -1860,6 +1860,11 @@ slap_acl_mask(
 			ACL_PRIV_CLR( *mask, modmask );
 
 			/* cleanup */
+			if ( (modmask & ACL_PRIV_WRITE) && (*mask & ACL_PRIV_WRITE) ) {
+				/* ITS#7347 Allow subtractive -a/z/i to keep the other counterpart (so
+				 * that "=w" then "-a" -> "zi" etc.) */
+				ACL_PRIV_SET( *mask, ACL_ACCESS2PRIV(ACL_WRITE_) );
+			}
 			ACL_PRIV_CLR( *mask, ~ACL_PRIV_MASK );
 
 		} else {