fix for select_backend suggested G. Gombas (ITS 1090)

[openldap] / servers / slapd / starttls.c

diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c
index bd12f32c73d0be0c140d9c0b4cd10dad23ce2ef5..97bbab084ac9dd34cbd9fd11cb3a06b1333133b0 100644 (file)
--- a/servers/slapd/starttls.c
+++ b/servers/slapd/starttls.c
@@ -59,6 +59,21 @@ starttls_extop (
                goto done;
        }
 
+       if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
+               ( conn->c_dn != NULL ) )
+       {
+               *text = "cannot start TLS after authentication";
+               rc = LDAP_OPERATIONS_ERROR;
+               goto done;
+       }
+
+       if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) &&
+               ( conn->c_dn != NULL ) )
+       {
+               /* force to anonymous */
+               connection2anonymous( conn );
+       }
+
        /* fail if TLS could not be initialized */
        if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0
                || ctx == NULL)