clean up unnecessary checks; don't use SASL native authz if authz ID is not static, because back-ldap pools connections...

servers/slapd/back-ldap/bind.c

@@ -403,8 +403,7 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 		 * control to every operation with the dn bound 
 		 * to the connection as control value.
 		 */
-		if ( op->o_conn != NULL && ( ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) )
+		if ( op->o_conn != NULL && BER_BVISNULL( &lc->bound_dn ) ) {
-		{
 			struct berval	binddn = slap_empty_bv;
 			struct berval	bindcred = slap_empty_bv;
 			int		dobind = 0;
@@ -464,6 +463,7 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 					case LDAP_BACK_IDASSERT_SELF:
 						if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
 							/* connection is not authc'd, so don't idassert */
+							BER_BVSTR( &authzID, "dn:" );
 							break;
 						}
 						authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_dn.bv_len;
@@ -772,23 +772,26 @@ ldap_back_proxy_authz_ctrl(
 			goto done;
 		}
 
-		if ( !BER_BVISNULL( &lc->bound_dn ) && !BER_BVISEMPTY( &lc->bound_dn ) ) {
+		if ( !BER_BVISNULL( &lc->bound_dn ) ) {
 			goto done;
 		}
 
-		if ( BER_BVISNULL( &op->o_conn->c_dn ) || BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
+		if ( BER_BVISNULL( &op->o_conn->c_dn ) ) {
 			goto done;
 		}
 
-		if ( BER_BVISNULL( &li->idassert_authcDN ) || BER_BVISEMPTY( &li->idassert_authcDN ) ) {
+		if ( BER_BVISNULL( &li->idassert_authcDN ) ) {
 			goto done;
 		}
 
 	} else if ( li->idassert_authmethod == LDAP_AUTH_SASL ) {
 		if ( ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ )
-				&& !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn ) )
+				/* && ( !BER_BVISNULL( &op->o_conn->c_dn ) || lc->bound ) */ )
 		{
 			/* already asserted in SASL via native authz */
+			/* NOTE: the test on lc->bound is used to trap
+			 * native authorization of anonymous users,
+			 * since in that case op->o_conn->c_dn is NULL */
 			goto done;
 		}
 

servers/slapd/back-ldap/external.h

@@ -29,6 +29,7 @@ extern BI_close	ldap_back_close;
 extern BI_destroy	ldap_back_destroy;
 
 extern BI_db_init	ldap_back_db_init;
+extern BI_db_open	ldap_back_db_open;
 extern BI_db_destroy	ldap_back_db_destroy;
 
 extern BI_db_config	ldap_back_db_config;

servers/slapd/back-ldap/init.c

@@ -60,7 +60,7 @@ ldap_back_initialize(
 
 	bi->bi_db_init = ldap_back_db_init;
 	bi->bi_db_config = ldap_back_db_config;
-	bi->bi_db_open = 0;
+	bi->bi_db_open = ldap_back_db_open;
 	bi->bi_db_close = 0;
 	bi->bi_db_destroy = ldap_back_db_destroy;
 
@@ -162,6 +162,29 @@ ldap_back_db_init(
 	return 0;
 }
 
+int
+ldap_back_db_open( BackendDB *be )
+{
+	struct ldapinfo	*li = (struct ldapinfo *)be->be_private;
+
+#ifdef LDAP_BACK_PROXY_AUTHZ
+	/* by default, use proxyAuthz control on each operation */
+	switch ( li->idassert_mode ) {
+	case LDAP_BACK_IDASSERT_LEGACY:
+	case LDAP_BACK_IDASSERT_SELF:
+		/* however, since admin connections are pooled and shared,
+		 * only static authzIDs can be native */
+		li->idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
+		break;
+
+	default:
+		break;
+	}
+#endif /* LDAP_BACK_PROXY_AUTHZ */
+
+	return 0;
+}
+
 void
 ldap_back_conn_free( 
 	void *v_lc