s3: fix bug #6073: prevent ads_connect() from using SSL unless explicitly requested

This fixes "net ads join".
It copes with the changed default "ldap ssl = start tls".
A new boolean option "ldap ssl : ads" is added to allow for
explicitly requesting ssl with  ads.

Michael

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index f6da54f35ba74bd16faef61be092db73b9ec0fc5..bb2b58e237269f6a30924bd6bd323b1a26bcc75a 100644 (file)
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -672,9 +672,11 @@ got_connection:
 
        ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
 
-       status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version));
-       if (!ADS_ERR_OK(status)) {
-               goto out;
+       if (lp_parm_bool(-1, "ldap ssl", "ads", false)) {
+               status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version));
+               if (!ADS_ERR_OK(status)) {
+                       goto out;
+               }
        }
 
        /* fill in the current time and offsets */