X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fbind.c;h=5d6034ad67611453cc542243b838045fb3043b2b;hb=451a9623f3108f397a58105041c6cd3bbf555b51;hp=1718e612d302c97195f7066349410cd3bf5151fd;hpb=eb5faf59284a79c1496535e05ac8385f906e2f06;p=openldap

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 1718e612d3..5d6034ad67 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2014 The OpenLDAP Foundation.
+ * Copyright 1999-2017 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -271,6 +271,8 @@ retry:;
 		if ( ldap_back_retry( &lc, op, rs, LDAP_BACK_BIND_SERR ) ) {
 			goto retry;
 		}
+		if ( !lc )
+			return( rc );
 	}
 
 	ldap_pvt_thread_mutex_lock( &li->li_counter_mutex );
@@ -924,7 +926,7 @@ retry_lock:
 
 			if ( lc != NULL ) {
 				if ( lc != LDAP_TAILQ_LAST( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv,
-					ldapconn_t, lc_q ) )
+					lc_conn_priv_q ) )
 				{
 					LDAP_TAILQ_REMOVE( &li->li_conn_priv[ LDAP_BACK_CONN2PRIV( lc ) ].lic_priv,
 						lc, lc_q );
@@ -1573,6 +1575,12 @@ retry:;
 			op->o_tag = o_tag;
 			rs->sr_text = "Proxy can't contact remote server";
 			send_ldap_result( op, rs );
+			/* if we originally bound and wanted rebind-as-user, must drop
+			 * the connection now because we just discarded the credentials.
+			 * ITS#7464, #8142
+			 */
+			if ( LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) )
+				rs->sr_err = SLAPD_DISCONNECT;
 		}
 
 		rc = 0;
@@ -1845,7 +1853,7 @@ retry:;
 		 * LDAP_COMPARE_{TRUE|FALSE}) */
 		default:
 			/* only touch when activity actually took place... */
-			if ( li->li_idle_timeout && lc ) {
+			if ( li->li_idle_timeout ) {
 				lc->lc_time = op->o_time;
 			}