auth: Fix default SASL bind for LDAP

User may configure Dovecot to use SASL bind as default bind method. This can be the case when ldapi:/// (or ldaps:///) with SASL EXTERNAL is used. Currently, Dovecot returns LDAP connection to wrong bind state after first successful auth bind, LDAP simple bind always used to rebind. This may broke setup when ACL in LDAP configured not to allow search/bind for such simple bind.
dovecot · Oct 13, 2016 · 79d9a65 · 79d9a65
1 parent aae4595
commit 79d9a65
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c
@@ -1027,7 +1027,7 @@ static int db_ldap_bind_sasl(struct ldap_connection *conn)
 }
 #endif
 
-static int db_ldap_bind(struct ldap_connection *conn)
+static int db_ldap_bind_simple(struct ldap_connection *conn)
 {
 	int msgid;
 
@@ -1056,6 +1056,19 @@ static int db_ldap_bind(struct ldap_connection *conn)
 	return 0;
 }
 
+static int db_ldap_bind(struct ldap_connection *conn)
+{
+	if (conn->set.sasl_bind) {
+		if (db_ldap_bind_sasl(conn) < 0)
+			return -1;
+	} else {
+		if (db_ldap_bind_simple(conn) < 0)
+			return -1;
+	}
+
+	return 0;
+}
+
 static void db_ldap_get_fd(struct ldap_connection *conn)
 {
 	int ret;
@@ -1228,13 +1241,9 @@ int db_ldap_connect(struct ldap_connection *conn)
 #endif
 	}
 
-	if (conn->set.sasl_bind) {
-		if (db_ldap_bind_sasl(conn) < 0)
-			return -1;
-	} else {
-		if (db_ldap_bind(conn) < 0)
-			return -1;
-	}
+	if (db_ldap_bind(conn) < 0)
+		return -1;
+
 	if (debug) {
 		if (gettimeofday(&end, NULL) == 0) {
 			int msecs = timeval_diff_msecs(&end, &start);