From 7484dbaeab8ee29d545dcea8d1a2d38414c799c2 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Fri, 01 Jun 2007 19:43:05 +0000
Subject: [PATCH] Update the way that privileges are evaluated by the server.  Previously, they were always based on the authentication identity rather than the authorization identity.  This means that when the two are different, the result could be incorrect.  One key example of this is the use of the proxied authorization control by a root user.  In this case, the proxied authorization would not be subject to access control because the authenticated user (but not the authorized user) had the bypass-acl privilege.

---
 opends/src/server/org/opends/server/authorization/dseecompat/AciContainer.java |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciContainer.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciContainer.java
index 52537f4..ff7da54 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciContainer.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciContainer.java
@@ -654,7 +654,10 @@
       if(this.useAuthzid)
         return this.authzid;
       else
-       return this.authorizationEntry.getDN();
+       if (this.authorizationEntry == null)
+         return DN.nullDN();
+       else
+         return this.authorizationEntry.getDN();
     }
 
    /**

--
Gitblit v1.10.0