ITS#8142 cleanup prev commit

Only drop connection if user originally bound to this backend,
and rebind-as-user was set. Sessions from other backends would
use idassert-bind so loss of creds doesn't affect them.

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 2cf234e1020b97360e3e26a68a88c781c801536c..87eef16e1cc980b3c23462d982bb1c1e2b625e82 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1575,7 +1575,12 @@ retry:;
                        op->o_tag = o_tag;
                        rs->sr_text = "Proxy can't contact remote server";
                        send_ldap_result( op, rs );
-                       rs->sr_err = SLAPD_DISCONNECT;
+                       /* if we originally bound and wanted rebind-as-user, must drop
+                        * the connection now because we just discarded the credentials.
+                        * ITS#7464, #8142
+                        */
+                       if ( LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) )
+                               rs->sr_err = SLAPD_DISCONNECT;
                }
 
                rc = 0;

diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c
index 3a08b96851c8ab5fdd0082b7b2034e0a956c8355..b28b694945465d0d48e14ef0ec102a208982645c 100644 (file)
--- a/servers/slapd/back-ldap/search.c
+++ b/servers/slapd/back-ldap/search.c
@@ -645,7 +645,12 @@ finish:;
                ldap_back_release_conn( li, lc );
        }
 
-       if ( rs->sr_err == LDAP_UNAVAILABLE )
+       if ( rs->sr_err == LDAP_UNAVAILABLE &&
+               /* if we originally bound and wanted rebind-as-user, must drop
+                * the connection now because we just discarded the credentials.
+                * ITS#7464, #8142
+                */
+               LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) )
                rs->sr_err = SLAPD_DISCONNECT;
        return rs->sr_err;
 }