allow 'all' vs. 'any' sasl-authz-policy

doc/man/man5/slapd.conf.5

@@ -640,9 +640,19 @@ flag will use rules in the
 .I saslAuthzTo
 attribute of the authentication DN.
 The
-.B both
-flag will allow both of the above. The rules are simply regular expressions
-specifying which DNs are allowed to perform proxy authorization. The
+.B any
+flag, an alias for the deprecated value of
+.BR both ,
+will allow any of the above, whatever succeeds first (checked in
+.BR to ,
+.B from
+sequence.
+The
+.B all
+flag requires both authorizations to succeed.
+The rules are simply regular expressions specifying which DNs are allowed 
+to perform proxy authorization.
+The
 .I saslAuthzFrom
 attribute in an entry specifies which other users
 are allowed to proxy login to this entry. The

servers/slapd/saslauthz.c

@@ -72,9 +72,10 @@ static int nSaslRegexp = 0;
 static SaslRegexp_t *SaslRegexp = NULL;
 
 /* What SASL proxy authorization policies are allowed? */
-#define	SASL_AUTHZ_NONE	0
-#define	SASL_AUTHZ_FROM	1
-#define	SASL_AUTHZ_TO	2
+#define	SASL_AUTHZ_NONE	0x00
+#define	SASL_AUTHZ_FROM	0x01
+#define	SASL_AUTHZ_TO	0x02
+#define SASL_AUTHZ_AND	0x10
 
 static int authz_policy = SASL_AUTHZ_NONE;
 
@@ -88,8 +89,10 @@ int slap_sasl_setpolicy( const char *arg )
 		authz_policy = SASL_AUTHZ_FROM;
 	} else if ( strcasecmp( arg, "to" ) == 0 ) {
 		authz_policy = SASL_AUTHZ_TO;
-	} else if ( strcasecmp( arg, "both" ) == 0 ) {
+	} else if ( strcasecmp( arg, "both" ) == 0 || strcasecmp( arg, "any" ) == 0 ) {
 		authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO;
+	} else if ( strcasecmp( arg, "all" ) == 0 ) {
+		authz_policy = SASL_AUTHZ_FROM | SASL_AUTHZ_TO | SASL_AUTHZ_AND;
 	} else {
 		rc = LDAP_OTHER;
 	}
@@ -972,7 +975,7 @@ int slap_sasl_authorized( Operation *op,
 	if( authz_policy & SASL_AUTHZ_TO ) {
 		rc = slap_sasl_check_authz( op, authcDN, authzDN,
 			slap_schema.si_ad_saslAuthzTo, authcDN );
-		if( rc == LDAP_SUCCESS ) {
+		if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) {
 			goto DONE;
 		}
 	}