s4:ldap_server: make sure we destroy the gensec context on error

If the client tries a new bind we need to start with a fresh context.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 12 insertions, 2 deletions

diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 06b52fe9510..5c390b61fda 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -431,8 +431,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 		result = LDAP_INVALID_CREDENTIALS;
 		errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_LOGON_DENIED,
 						0x0C0904DC, status);
-		talloc_unlink(conn, conn->gensec);
-		conn->gensec = NULL;
 		goto do_reply;
 	}
 
@@ -559,6 +557,18 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 	}
 
 do_reply:
+	if (result != LDAP_SASL_BIND_IN_PROGRESS) {
+		/*
+		 * We should destroy the gensec context
+		 * when we hit a fatal error.
+		 *
+		 * Note: conn->gensec is already cleared
+		 * for the LDAP_SUCCESS case.
+		 */
+		talloc_unlink(conn, conn->gensec);
+		conn->gensec = NULL;
+	}
+
 	resp->response.resultcode = result;
 	resp->response.dn = NULL;
 	resp->response.errormessage = errstr;