s4:ldap_server: move invalid credential handling before the success handling.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 15 insertions, 11 deletions

diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index fb4593de95f..e36cb1cebf6 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -424,7 +424,21 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 		result = LDAP_SASL_BIND_IN_PROGRESS;
 		errstr = NULL;
 		goto do_reply;
-	} else if (NT_STATUS_IS_OK(status)) {
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		status = nt_status_squash(status);
+		if (result == 0) {
+			result = LDAP_INVALID_CREDENTIALS;
+			errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_LOGON_DENIED,
+							0x0C0904DC, status);
+		}
+		talloc_unlink(conn, conn->gensec);
+		conn->gensec = NULL;
+		goto do_reply;
+	}
+
+	{
 		struct ldapsrv_sasl_postprocess_context *context = NULL;
 
 		result = LDAP_SUCCESS;
@@ -544,16 +558,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 		}
 		talloc_unlink(conn, conn->gensec);
 		conn->gensec = NULL;
-	} else {
-		status = nt_status_squash(status);
-		if (result == 0) {
-			result = LDAP_INVALID_CREDENTIALS;
-			errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_LOGON_DENIED,
-							0x0C0904DC, status);
-		}
-		talloc_unlink(conn, conn->gensec);
-		conn->gensec = NULL;
-		goto do_reply;
 	}
 
 do_reply: