diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 2cf234e1020b97360e3e26a68a88c781c801536c..87eef16e1cc980b3c23462d982bb1c1e2b625e82 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1575,7 +1575,12 @@ retry:;
 			op->o_tag = o_tag;
 			rs->sr_text = "Proxy can't contact remote server";
 			send_ldap_result( op, rs );
-			rs->sr_err = SLAPD_DISCONNECT;
+			/* if we originally bound and wanted rebind-as-user, must drop
+			 * the connection now because we just discarded the credentials.
+			 * ITS#7464, #8142
+			 */
+			if ( LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) )
+				rs->sr_err = SLAPD_DISCONNECT;
 		}
 
 		rc = 0;
diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c
index 3a08b96851c8ab5fdd0082b7b2034e0a956c8355..b28b694945465d0d48e14ef0ec102a208982645c 100644
--- a/servers/slapd/back-ldap/search.c
+++ b/servers/slapd/back-ldap/search.c
@@ -645,7 +645,12 @@ finish:;
 		ldap_back_release_conn( li, lc );
 	}
 
-	if ( rs->sr_err == LDAP_UNAVAILABLE )
+	if ( rs->sr_err == LDAP_UNAVAILABLE &&
+		/* if we originally bound and wanted rebind-as-user, must drop
+		 * the connection now because we just discarded the credentials.
+		 * ITS#7464, #8142
+		 */
+		LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) )
 		rs->sr_err = SLAPD_DISCONNECT;
 	return rs->sr_err;
 }