auth: Fix default SASL bind for LDAP

User may configure Dovecot to use SASL bind as default bind method.  This can
be the case when ldapi:/// (or ldaps:///) with SASL EXTERNAL is used.
Currently, Dovecot returns LDAP connection to wrong bind state after first
successful auth bind, LDAP simple bind always used to rebind.  This may broke
setup when ACL in LDAP configured not to allow search/bind for such simple
bind.

diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c
index 520e9fdc3a24ee59a2317266412dc3c4ecd90f3c..502fc1ff8802c71c10325288abd6812d16eaf057 100644 (file)
--- a/src/auth/db-ldap.c
+++ b/src/auth/db-ldap.c
@@ -1027,7 +1027,7 @@ static int db_ldap_bind_sasl(struct ldap_connection *conn)
 }
 #endif
 
-static int db_ldap_bind(struct ldap_connection *conn)
+static int db_ldap_bind_simple(struct ldap_connection *conn)
 {
        int msgid;
 
@@ -1056,6 +1056,19 @@ static int db_ldap_bind(struct ldap_connection *conn)
        return 0;
 }
 
+static int db_ldap_bind(struct ldap_connection *conn)
+{
+       if (conn->set.sasl_bind) {
+               if (db_ldap_bind_sasl(conn) < 0)
+                       return -1;
+       } else {
+               if (db_ldap_bind_simple(conn) < 0)
+                       return -1;
+       }
+
+       return 0;
+}
+
 static void db_ldap_get_fd(struct ldap_connection *conn)
 {
        int ret;
@@ -1228,13 +1241,9 @@ int db_ldap_connect(struct ldap_connection *conn)
 #endif
        }
 
-       if (conn->set.sasl_bind) {
-               if (db_ldap_bind_sasl(conn) < 0)
-                       return -1;
-       } else {
-               if (db_ldap_bind(conn) < 0)
-                       return -1;
-       }
+       if (db_ldap_bind(conn) < 0)
+               return -1;
+
        if (debug) {
                if (gettimeofday(&end, NULL) == 0) {
                        int msecs = timeval_diff_msecs(&end, &start);