From d4e690e0028d47521b0429a3090261e6c8794856 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Mon, 19 Mar 2007 15:52:17 +0000
Subject: [PATCH] Fix issue with unauthorized idassert and DN rewrite

---
 CHANGES                        | 1 +
 servers/slapd/back-ldap/bind.c | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index f5c0276503..a52ea58741 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,7 @@ OpenLDAP 2.3.35 Engineering
 	Fixed zero-length IA5string handling (ITS#4823)
 	Fixed slapd-bdb/hdb startup with missing shm env (ITS#4851)
 	Fixed slapd-ldap/meta consistency in referral proxying (ITS#4861)
+	Fixed slapd-ldap bind cleanup in case of unauthorized idassert
 	Fixed slapd-meta search cleanup
 	Fixed slapd-meta/slapo-rwm filter mapping
 	Fixed slapd-sql subtree shortcut (ITS#4856)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index d4bb36ab8b..d0ade05649 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -760,13 +760,13 @@ ldap_back_getconn(
 			op->o_ndn = op->o_req_ndn;
 		}
 		isproxyauthz = ldap_back_is_proxy_authz( op, rs, sendok, binddn, bindcred );
-		if ( isproxyauthz == -1 ) {
-			return NULL;
-		}
 		if ( op->o_tag == LDAP_REQ_BIND ) {
 			op->o_dn = save_o_dn;
 			op->o_ndn = save_o_ndn;
 		}
+		if ( isproxyauthz == -1 ) {
+			return NULL;
+		}
 
 		lc_curr.lc_local_ndn = op->o_ndn;
 		/* Explicit binds must not be shared;
-- 
2.47.2