From fa1624a25297d8015fa82ce01a61869e1c8fd2cb Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Thu, 21 May 2015 01:20:16 +0100
Subject: [PATCH] ITS#8142 cleanup prev commit

Only drop connection if user originally bound to this backend,
and rebind-as-user was set. Sessions from other backends would
use idassert-bind so loss of creds doesn't affect them.
---
 servers/slapd/back-ldap/bind.c   | 7 ++++++-
 servers/slapd/back-ldap/search.c | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 2cf234e102..87eef16e1c 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1575,7 +1575,12 @@ retry:;
 			op->o_tag = o_tag;
 			rs->sr_text = "Proxy can't contact remote server";
 			send_ldap_result( op, rs );
-			rs->sr_err = SLAPD_DISCONNECT;
+			/* if we originally bound and wanted rebind-as-user, must drop
+			 * the connection now because we just discarded the credentials.
+			 * ITS#7464, #8142
+			 */
+			if ( LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) )
+				rs->sr_err = SLAPD_DISCONNECT;
 		}
 
 		rc = 0;
diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c
index 3a08b96851..b28b694945 100644
--- a/servers/slapd/back-ldap/search.c
+++ b/servers/slapd/back-ldap/search.c
@@ -645,7 +645,12 @@ finish:;
 		ldap_back_release_conn( li, lc );
 	}
 
-	if ( rs->sr_err == LDAP_UNAVAILABLE )
+	if ( rs->sr_err == LDAP_UNAVAILABLE &&
+		/* if we originally bound and wanted rebind-as-user, must drop
+		 * the connection now because we just discarded the credentials.
+		 * ITS#7464, #8142
+		 */
+		LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) )
 		rs->sr_err = SLAPD_DISCONNECT;
 	return rs->sr_err;
 }
-- 
GitLab