s4:ldap_server: make sure we destroy the gensec context on error

If the client tries a new bind we need to start with a fresh context.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 06b52fe9510c2c797e501c5699571408155b414c..5c390b61fdafb51946e4b6ae9d02abc1379316f0 100644 (file)
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -431,8 +431,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
                result = LDAP_INVALID_CREDENTIALS;
                errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_LOGON_DENIED,
                                                0x0C0904DC, status);
-               talloc_unlink(conn, conn->gensec);
-               conn->gensec = NULL;
                goto do_reply;
        }
 
@@ -559,6 +557,18 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
        }
 
 do_reply:
+       if (result != LDAP_SASL_BIND_IN_PROGRESS) {
+               /*
+                * We should destroy the gensec context
+                * when we hit a fatal error.
+                *
+                * Note: conn->gensec is already cleared
+                * for the LDAP_SUCCESS case.
+                */
+               talloc_unlink(conn, conn->gensec);
+               conn->gensec = NULL;
+       }
+
        resp->response.resultcode = result;
        resp->response.dn = NULL;
        resp->response.errormessage = errstr;