From 1aecfe0b8fd36193b830266848f0cce5bd3854ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Mon, 1 Feb 2021 17:22:35 +0000
Subject: [PATCH] ITS#6518 Only remove proxyauthz control if we generated one
 ourselves

---
 servers/slapd/back-asyncmeta/bind.c | 3 ++-
 servers/slapd/back-ldap/bind.c      | 3 ++-
 servers/slapd/back-meta/bind.c      | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/servers/slapd/back-asyncmeta/bind.c b/servers/slapd/back-asyncmeta/bind.c
index a7d266ddeb..35e0d36778 100644
--- a/servers/slapd/back-asyncmeta/bind.c
+++ b/servers/slapd/back-asyncmeta/bind.c
@@ -1348,7 +1348,8 @@ asyncmeta_controls_add( Operation *op,
 				LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
 
 		for ( i = 0; op->o_ctrls[ i ]; i++ ) {
-			if ( proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
+			/* Only replace it if we generated one */
+			if ( j1 && proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
 				/* Frontend has already checked only one is present */
 				assert( skipped == 0 );
 				skipped++;
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index b948dc37b6..9e9b0cce87 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2897,7 +2897,8 @@ ldap_back_controls_add(
 				LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
 
 		for ( i = 0; op->o_ctrls[ i ]; i++ ) {
-			if ( proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
+			/* Only replace it if we generated one */
+			if ( j1 && proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
 				/* Frontend has already checked only one is present */
 				assert( skipped == 0 );
 				skipped++;
diff --git a/servers/slapd/back-meta/bind.c b/servers/slapd/back-meta/bind.c
index 235deb9582..4f8f65668e 100644
--- a/servers/slapd/back-meta/bind.c
+++ b/servers/slapd/back-meta/bind.c
@@ -1723,7 +1723,8 @@ meta_back_controls_add(
 				LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
 
 		for ( i = 0; op->o_ctrls[ i ]; i++ ) {
-			if ( proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
+			/* Only replace it if we generated one */
+			if ( j1 && proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
 				/* Frontend has already checked only one is present */
 				assert( skipped == 0 );
 				skipped++;