diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index d1428c1204..7632a57321 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -1919,7 +1919,10 @@ ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok, default: /* NOTE: rootdn can always idassert */ - if ( BER_BVISNULL( &ndn ) && li->li_idassert_authz == NULL ) { + if ( BER_BVISNULL( &ndn ) + && li->li_idassert_authz == NULL + && !( li->li_idassert_flags & LDAP_BACK_AUTH_AUTHZ_ALL ) ) + { if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) { rs->sr_err = LDAP_INAPPROPRIATE_AUTH; if ( sendok & LDAP_BACK_SENDERR ) {