From 66ab6bafa8e290d842f68e683e3cd3ee63f513be Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 21 May 2015 01:20:16 +0100 Subject: [PATCH] ITS#8142 cleanup prev commit Only drop connection if user originally bound to this backend, and rebind-as-user was set. Sessions from other backends would use idassert-bind so loss of creds doesn't affect them. --- servers/slapd/back-ldap/bind.c | 7 ++++++- servers/slapd/back-ldap/search.c | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index d336dbb723..598dae3fd9 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -1573,7 +1573,12 @@ retry:; op->o_tag = o_tag; rs->sr_text = "Proxy can't contact remote server"; send_ldap_result( op, rs ); - rs->sr_err = SLAPD_DISCONNECT; + /* if we originally bound and wanted rebind-as-user, must drop + * the connection now because we just discarded the credentials. + * ITS#7464, #8142 + */ + if ( LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) ) + rs->sr_err = SLAPD_DISCONNECT; } rc = 0; diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c index 3a08b96851..b28b694945 100644 --- a/servers/slapd/back-ldap/search.c +++ b/servers/slapd/back-ldap/search.c @@ -645,7 +645,12 @@ finish:; ldap_back_release_conn( li, lc ); } - if ( rs->sr_err == LDAP_UNAVAILABLE ) + if ( rs->sr_err == LDAP_UNAVAILABLE && + /* if we originally bound and wanted rebind-as-user, must drop + * the connection now because we just discarded the credentials. + * ITS#7464, #8142 + */ + LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) ) rs->sr_err = SLAPD_DISCONNECT; return rs->sr_err; } -- 2.39.5