Regarding previous commit:

Fix broken ACL macros.
	Fix o_dn/o_ndn == NULL vs "".

servers/slapd/acl.c

@@ -260,7 +260,17 @@ acl_access_allowed(
 			 * user is bound as somebody in the same namespace as
 			 * the entry, OR the given dn matches the dn pattern
 			 */
-			if ( strcasecmp( b->a_dnpat, "self" ) == 0 && 
+			if ( strcasecmp( b->a_dnpat, "anonymous" ) == 0 && 
+				(op->o_ndn == NULL || *(op->o_ndn) == '\0' ) ) 
+			{
+				Debug( LDAP_DEBUG_ACL,
+				"<= acl_access_allowed: matched by clause #%d access %s\n",
+				    i, ACL_GRANT(b->a_access, access)
+						? "granted" : "denied", 0 );
+
+				return ACL_GRANT(b->a_access, access );
+
+			} else if ( strcasecmp( b->a_dnpat, "self" ) == 0 && 
 				op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL ) 
 			{
 				if ( strcmp( edn, op->o_ndn ) == 0 ) {
@@ -512,6 +522,8 @@ regex_matches(
 	char newbuf[512];
 	int	rc;
 
+	if(str == NULL) str = "";
+
 	string_expand(newbuf, sizeof(newbuf), pat, buf, matches);
 	if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) {
 		char error[512];

servers/slapd/aclparse.c

@@ -194,6 +194,8 @@ parse_acl(
 			split( argv[i], '=', &left, &right );
 			if ( strcasecmp( argv[i], "*" ) == 0 ) {
 				b->a_dnpat = ch_strdup( ".*" );
+			} else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
+				b->a_dnpat = ch_strdup( "anonymous" );
 			} else if ( strcasecmp( argv[i], "self" ) == 0 ) {
 				b->a_dnpat = ch_strdup( "self" );
 			} else if ( strcasecmp( left, "dn" ) == 0 ) {
@@ -263,7 +265,7 @@ parse_acl(
 
 			/* get <access> */
 			split( argv[i], '=', &left, &right );
-			if ( ACL_IS_INVALID(ACL_SET(str2access( left ),b->a_access)) ) {
+			if ( ACL_IS_INVALID(ACL_SET(b->a_access,str2access( left ))) ) {
 				fprintf( stderr,
 			    "%s: line %d: expecting <access> got \"%s\"\n",
 				    fname, lineno, left );
@@ -379,7 +381,7 @@ acl_usage( void )
 		"<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n"
 		"<attrlist> ::= <attr> | <attr> , <attrlist>\n"
 		"<attr> ::= <attrname> | entry | children\n"
-		"<who> ::= * | self | dn=<regex> | addr=<regex>\n"
+		"<who> ::= * | anonymous | self | dn=<regex> | addr=<regex>\n"
 			"\t| domain=<regex> | dnattr=<dnattrname>\n"
 #ifdef SLAPD_ACLGROUPS
 			"\t| group[/<objectclass>[/<attrname>]]=<regex>\n"
@@ -433,7 +435,13 @@ print_access( struct access *b )
 	fprintf( stderr, "\tby" );
 
 	if ( b->a_dnpat != NULL ) {
-		fprintf( stderr, " dn=%s", b->a_dnpat );
+		if( strcmp(b->a_dnpat, "anonymous") == 0 ) {
+			fprintf( stderr, " anonymous" );
+		} else if( strcmp(b->a_dnpat, "self") == 0 ) {
+			fprintf( stderr, " self" );
+		} else {
+			fprintf( stderr, " dn=%s", b->a_dnpat );
+		}
 	} else if ( b->a_addrpat != NULL ) {
 		fprintf( stderr, " addr=%s", b->a_addrpat );
 	} else if ( b->a_domainpat != NULL ) {

servers/slapd/bind.c

@@ -69,14 +69,14 @@ do_bind(
 
 	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
-	if ( op->o_ndn != NULL ) {
-		free( op->o_ndn );
-		op->o_ndn = NULL;
-	}
-
 	if ( op->o_dn != NULL ) {
 		free( op->o_dn );
-		op->o_dn = NULL;
+		op->o_dn = ch_strdup( "" );
+	}
+
+	if ( op->o_ndn != NULL ) {
+		free( op->o_ndn );
+		op->o_ndn = ch_strdup( "" );
 	}
 
 	/*

servers/slapd/config.c

@@ -425,16 +425,18 @@ read_config( char *fname )
 				return( 1 );
 			}
 			if ( be == NULL ) {
-				if ( ACL_IS_INVALID(ACL_SET(str2access(cargv[1]),
-					global_default_access)) ) {
+				if ( ACL_IS_INVALID(ACL_SET(global_default_access,
+						str2access(cargv[1]))) )
+				{
 					Debug( LDAP_DEBUG_ANY,
 "%s: line %d: bad access \"%s\" expecting [self]{none|compare|read|write}\n",
 					    fname, lineno, cargv[1] );
 					return( 1 );
 				}
 			} else {
-				if ( ACL_IS_INVALID(ACL_SET(str2access(cargv[1]),
-					be->be_dfltaccess)) ) {
+				if ( ACL_IS_INVALID(ACL_SET(be->be_dfltaccess,
+						str2access(cargv[1]))) )
+				{
 					Debug( LDAP_DEBUG_ANY,
 						"%s: line %d: bad access \"%s\", "
 						"expecting [self]{none|compare|search|read|write}\n",

servers/slapd/slap.h

@@ -188,32 +188,32 @@ struct access {
 #define ACL_SELF	0x4000
 #define ACL_INVALID	-1
 
-#define ACL_IS(lvl,a)	(((a) & (lvl)) == (lvl))
+#define ACL_IS(a,lvl)	(((a) & (lvl)) == (lvl))
 
-#define ACL_IS_NONE(a)		ACL_IS(ACL_SELF,(a))
-#define ACL_IS_AUTH(a)		ACL_IS(ACL_AUTH,(a))
-#define ACL_IS_COMPARE(a)	ACL_IS(ACL_COMPARE,(a))
-#define ACL_IS_SEARCH(a)	ACL_IS(ACL_SEARCH,(a))
-#define ACL_IS_READ(a)		ACL_IS(ACL_READ,(a))
-#define ACL_IS_WRITE(a)		ACL_IS(ACL_WRITE,(a))
-#define ACL_IS_SELF(a)		ACL_IS(ACL_SELF,(a))
-#define ACL_IS_INVALID(a)	ACL_IS(ACL_INVALID,(a))
+#define ACL_IS_NONE(a)		ACL_IS((a),ACL_SELF)
+#define ACL_IS_AUTH(a)		ACL_IS((a),ACL_AUTH)
+#define ACL_IS_COMPARE(a)	ACL_IS((a),ACL_COMPARE)
+#define ACL_IS_SEARCH(a)	ACL_IS((a),ACL_SEARCH)
+#define ACL_IS_READ(a)		ACL_IS((a),ACL_READ)
+#define ACL_IS_WRITE(a)		ACL_IS((a),ACL_WRITE)
+#define ACL_IS_SELF(a)		ACL_IS((a),ACL_SELF)
+#define ACL_IS_INVALID(a)	ACL_IS((a),ACL_INVALID)
 
 
 #define ACL_CLR(a)			((a) = 0)
-#define ACL_SET(lvl,a)		((a) |= (lvl))
-#define ACL_SET_NONE(a)		ACL_SET(ACL_SELF,(a))
-#define ACL_SET_AUTH(a)		ACL_SET(ACL_AUTH,(a))
-#define ACL_SET_COMPARE(a)	ACL_SET(ACL_COMPARE,(a))
-#define ACL_SET_SEARCH(a)	ACL_SET(ACL_SEARCH,(a))
-#define ACL_SET_READ(a)		ACL_SET(ACL_READ,(a))
-#define ACL_SET_WRITE(a)	ACL_SET(ACL_WRITE,(a))
-#define ACL_SET_SELF(a)		ACL_SET(ACL_SELF,(a))
-#define ACL_SET_INVALID(a)	ACL_SET(ACL_INVALID,(a))
+#define ACL_SET(a,lvl)		((a) |= (lvl))
+#define ACL_SET_NONE(a)		ACL_SET((a),ACL_SELF)
+#define ACL_SET_AUTH(a)		ACL_SET((a),ACL_AUTH)
+#define ACL_SET_COMPARE(a)	ACL_SET((a),ACL_COMPARE)
+#define ACL_SET_SEARCH(a)	ACL_SET((a),ACL_SEARCH)
+#define ACL_SET_READ(a)		ACL_SET((a),ACL_READ)
+#define ACL_SET_WRITE(a)	ACL_SET((a),ACL_WRITE)
+#define ACL_SET_SELF(a)		ACL_SET((a),ACL_SELF)
+#define ACL_SET_INVALID(a)	ACL_SET((a),ACL_INVALID)
 
 #define ACL_PRIV_MASK	0x00ff
 #define	ACL_PRIV(a)		((a) & ACL_PRIV_MASK)
-#define ACL_GRANT(lvl,a)	(ACL_PRIV(a) >= (lvl))
+#define ACL_GRANT(a,lvl)	(ACL_PRIV(a) >= (lvl))
 #define ACL_TEST