fix bug #6073: prevent ads_connect() from using SSL unless explicitly requested

This fixes "net ads join".
It copes with the changed default "ldap ssl = start tls".
A new boolean option "ldap ssl : ads" is added to allow for
explicitly requesting ssl with  ads.

Michael
(cherry picked from commit d332da87068cd72489941010a33e372ab53d3bcc)

diff --git a/source/libads/ldap.c b/source/libads/ldap.c
index f3bc2c5032b11c81e4164a2c157968a3d3b59754..5c95d4f61246c75ebb0a6f29871b34f2780ff09e 100644 (file)
--- a/source/libads/ldap.c
+++ b/source/libads/ldap.c
@@ -672,9 +672,11 @@ got_connection:
 
        ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
 
-       status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version));
-       if (!ADS_ERR_OK(status)) {
-               goto out;
+       if (lp_parm_bool(-1, "ldap ssl", "ads", false)) {
+               status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version));
+               if (!ADS_ERR_OK(status)) {
+                       goto out;
+               }
        }
 
        /* fill in the current time and offsets */