ACL fixes from devel

servers/slapd/acl.c

@@ -555,7 +555,7 @@ acl_mask(
 			}
 		}
 
-		if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
+		if ( b->a_dn_at != NULL ) {
 			Attribute	*at;
 			struct berval	bv;
 			int rc, match = 0;
@@ -564,6 +564,10 @@ acl_mask(
 
 			assert( attr != NULL );
 
+			if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
+				continue;
+			}
+
 			Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n",
 				attr, 0, 0);
 			bv.bv_val = op->o_ndn;
@@ -621,9 +625,13 @@ acl_mask(
 			}
 		}
 
-		if ( b->a_group_pat != NULL && op->o_ndn != NULL ) {
+		if ( b->a_group_pat != NULL ) {
 			char buf[1024];
 
+			if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
+				continue;
+			}
+
 			/* b->a_group is an unexpanded entry name, expanded it should be an 
 			 * entry with objectclass group* and we test to see if odn is one of
 			 * the values in the attribute group

servers/slapd/str2filter.c

@@ -247,7 +247,7 @@ str2subvals( const char *in, Filter *f )
 	val = freeme = ch_strdup( in );
 	gotstar = 0;
 
-	while ( *val ) {
+	while ( val && *val ) {
 		if ( (nextstar = ldap_pvt_find_wildcard( val )) != NULL )
 			*nextstar++ = '\0';
 

tests/data/slapd-acl.conf

@@ -49,9 +49,16 @@ access		to attr=member
 		by dnattr=member selfwrite
 		by * read
 
+access		to attr=member filter=(mail=*edu)
+		by * read
+
 access		to filter="objectclass=groupofnames"
 		by dn.base="cn=Bjorn Jensen, ou=Information Technology Division, ou=People, o=University of Michigan,c=US" =sc continue
 		by dn="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US$" +rw stop
 		by * break
 
+	
+
 # fall into global ACLs
+
+