From 0c8a5875d0eeef182788984a47ec28bed331b47b Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 13 May 2026 14:51:27 +0100
Subject: [PATCH] ITS#10503 authzTo: reject member attributes with non-DN
 syntax

---
 servers/slapd/saslauthz.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 28c99b101b..cb1efd1a77 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -368,6 +368,10 @@ is_dn:		bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
 				if ( rc != LDAP_SUCCESS ) {
 					return rc;
 				}
+				if (ad->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName &&
+					!is_at_syntax( ad->ad_type, SLAPD_NAMEUID_SYNTAX )) {
+					return LDAP_INVALID_SYNTAX;
+				}
 			}
 
 			if ( oc_bvfind( &group_oc ) == NULL ) {