Happy New Year!

[openldap] / servers / slapd / back-ldap / bind.c

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 1718e612d302c97195f7066349410cd3bf5151fd..29f848815560500ca03dcd8dd01e809acb37bc49 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2014 The OpenLDAP Foundation.
+ * Copyright 1999-2016 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -271,6 +271,8 @@ retry:;
                if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_BIND_SERR ) ) {
                        goto retry;
                }
+               if ( !lc )
+                       return( rc );
        }
 
        ldap_pvt_thread_mutex_lock( &li->li_counter_mutex );
@@ -1573,6 +1575,12 @@ retry:;
                        op->o_tag = o_tag;
                        rs->sr_text = "Proxy can't contact remote server";
                        send_ldap_result( op, rs );
+                       /* if we originally bound and wanted rebind-as-user, must drop
+                        * the connection now because we just discarded the credentials.
+                        * ITS#7464, #8142
+                        */
+                       if ( LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) )
+                               rs->sr_err = SLAPD_DISCONNECT;
                }
 
                rc = 0;
@@ -1845,7 +1853,7 @@ retry:;
                 * LDAP_COMPARE_{TRUE|FALSE}) */
                default:
                        /* only touch when activity actually took place... */
-                       if ( li->li_idle_timeout && lc ) {
+                       if ( li->li_idle_timeout ) {
                                lc->lc_time = op->o_time;
                        }