From db46f888530aeae83e0c1d853083c62b8e855987 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 28 Oct 2020 16:50:23 +0000
Subject: [PATCH] ITS#9379 reject listener URLs with non-empty DNs

---
 servers/slapd/daemon.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index 87c1a73ed9..7c5834efce 100644
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -1648,6 +1648,14 @@ slap_open_listener(
 	}
 #endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
 
+	if ( lud->lud_dn && lud->lud_dn[0] ) {
+		sprintf( (char *)url, "%s://%s/", lud->lud_scheme, lud->lud_host );
+		Debug( LDAP_DEBUG_ANY, "daemon: listener URL %s<junk> DN must be absent (%s)\n",
+			url, lud->lud_dn );
+		ldap_free_urldesc( lud );
+		return -1;
+	}
+
 	ldap_free_urldesc( lud );
 	if ( err ) {
 		slap_free_listener_addresses(sal);
-- 
2.47.3