Patch: ACL #access-id#<invalid-DN> granted access to everyone (ITS#2006)

================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
			================

There is a bug in OpenLDAPaci's "access-id":  If the specified DN is
invalid so dnNormalize2() fails, everyone gets access.
This means that e.g. "#access-id#[all]" gives public access, so it
might be considered a feature, but I fixed it anyway:-)  I guess that
means the change should be documented in the release notes, though.

See also ITS#2005 (add OpenLDAPaci #public# access).

Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, Aug 2002.

servers/slapd/acl.c

@@ -28,6 +28,7 @@ static struct berval
 	aci_bv_br_all		= BER_BVC("[all]"),
 	aci_bv_access_id 	= BER_BVC("access-id"),
 	aci_bv_anonymous	= BER_BVC("anonymous"),
+	aci_bv_public		= BER_BVC("public"),
 	aci_bv_users		= BER_BVC("users"),
 	aci_bv_self 		= BER_BVC("self"),
 	aci_bv_dnattr 		= BER_BVC("dnattr"),
@@ -1707,6 +1708,8 @@ aci_mask(
 
 	   See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
 	   a full description of the format for this attribute.
+	   Differences: "this" in the draft is "self" here, and
+	   "self" and "public" is in the position of dnType.
 
 	   For now, this routine only supports scope=entry.
 	 */
@@ -1751,6 +1754,9 @@ aci_mask(
 		}
 		return (rc);
 
+	} else if (ber_bvstrcasecmp( &aci_bv_public, &bv ) == 0) {
+		return(1);
+
 	} else if (ber_bvstrcasecmp( &aci_bv_self, &bv ) == 0) {
 		if (dn_match(&op->o_ndn, &e->e_nname))
 			return(1);