Fixed paren nesting bug, separated convoluted conditionals, added comm

ents about the logic.

servers/slapd/acl.c

@@ -532,7 +532,7 @@ acl_mask(
 		if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
 			Attribute	*at;
 			struct berval	bv;
-			int match = 0;
+			int rc, match = 0;
 			const char *text;
 			const char *desc = b->a_dn_at->ad_cname->bv_val;
 
@@ -555,21 +555,41 @@ acl_mask(
 			}
 
 			if( match ) {
-				if ( b->a_dn_self && (val == NULL
+				/* have a dnattr match. if this is a self clause then
-					|| value_match( &match, b->a_dn_at,
+				 * the target must also match the op dn.
-						b->a_dn_at->ad_type->sat_equality, val, &bv, &text ) )
+				 */
-						!= LDAP_SUCCESS
+				if ( b->a_dn_self ) {
-					|| match )
+					/* check if the target is an attribute. */
-				{
+					if ( val == NULL )
-					continue;
+						continue;
+					/* target is attribute, check if the attribute value
+					 * is the op dn.
+					 */
+					rc = value_match(	&match, b->a_dn_at,
+										b->a_dn_at->ad_type->sat_equality,
+										val, &bv, &text );
+					/* on match error or no match, fail the ACL clause */
+					if (rc != LDAP_SUCCESS || match != 0 )
+						continue;
 				}
-			} else if ( ! b->a_dn_self || val == NULL
+			} else {
-				|| value_match( &match, b->a_dn_at,
+				/* no dnattr match, check if this is a self clause */
-					b->a_dn_at->ad_type->sat_equality, val, &bv, &text )
+				if ( ! b->a_dn_self )
-					!= LDAP_SUCCESS
+					continue;
-				|| match )
+				/* this is a self clause, check if the target is an
-			{
+				 * attribute.
-				continue;
+				 */
+				if ( val == NULL )
+					continue;
+				/* target is attribute, check if the attribute value
+				 * is the op dn.
+				 */
+				rc = value_match(	&match, b->a_dn_at,
+									b->a_dn_at->ad_type->sat_equality,
+									val, &bv, &text );
+				/* on match error or no match, fail the ACL clause */
+				if (rc != LDAP_SUCCESS || match != 0 )
+					continue;
 			}
 		}