Full_Name: Kostantinos Koukopoulos Version: 2.4.11 OS: Solaris URL: ftp://ftp.openldap.org/incoming/kostantinos-koukopoulos-080801.diff Submission from: (NULL) (195.134.100.30)

There is a bug in the function 'slap_acl_mask' in servers/slapd/acl.c that affects the processing of dynacls. In particular the code attempts to apply ACL_ACCESS2PRIV to a variable already containing a slap_mask_t value. By chance this does not make a difference except when the dynacl rule is applied after a 'break' in a previous rule that has altered the default mask. It appears that the intention was to check whether the requested access level applies to the dynacl rule access mask. Instead the check is made against the current applied mask. The referenced patch fixes this issue by passing the requested access level as an extra parameter to the function and using it for the check.