From d8331e1b81d59467558c888ce7731bb7f520d43b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Thu, 9 Dec 2021 12:01:36 +0000
Subject: [PATCH] ITS#9768 Enforce single name per
 olcTranslucentLocal/olcTranslucentRemote value

---
 servers/slapd/overlays/translucent.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c
index 654142548b..16dd1f9465 100644
--- a/servers/slapd/overlays/translucent.c
+++ b/servers/slapd/overlays/translucent.c
@@ -218,10 +218,21 @@ translucent_cf_gen( ConfigArgs *c )
 		}
 		return 0;
 	}
+
+	/* cn=config values could be deleted later, make sure we only allow one
+	 * name per value for valx to match. */
+	if ( c->op != SLAP_CONFIG_ADD && strchr( c->argv[1], ',' ) ) {
+		snprintf( c->cr_msg, sizeof( c->cr_msg ),
+			"%s: Please provide attribute names in separate values",
+			c->argv[0] );
+		goto fail;
+	}
+
 	a2 = str2anlist( *an, c->argv[1], "," );
 	if ( !a2 ) {
 		snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s unable to parse attribute %s",
 			c->argv[0], c->argv[1] );
+fail:
 		Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
 			"%s: %s\n", c->log, c->cr_msg );
 		return ARG_BAD_CONF;