From 0f521e636b5965896eec1ec3d8732d39db924672 Mon Sep 17 00:00:00 2001
From: Nadezhda Ivanova <nivanova@symas.com>
Date: Fri, 1 Mar 2024 15:13:47 +0200
Subject: [PATCH] ITS#10227 Asyncmeta will not reset a connection if a bind
 operation fails with LDAP_OTHER, leaving the connection in invalid state

---
 servers/slapd/back-asyncmeta/bind.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/servers/slapd/back-asyncmeta/bind.c b/servers/slapd/back-asyncmeta/bind.c
index f0dc2a6f39..feebf44780 100644
--- a/servers/slapd/back-asyncmeta/bind.c
+++ b/servers/slapd/back-asyncmeta/bind.c
@@ -851,18 +851,29 @@ asyncmeta_back_proxy_authz_cred(
 				mt->mt_idassert_sasl_mech.bv_val, NULL, NULL,
 				LDAP_SASL_QUIET, lutil_sasl_interact,
 				defaults );
-
 		/* restore the old timeout just in case */
 		ldap_set_option( msc->msc_ld, LDAP_OPT_TIMEOUT, (void *)&old_tv );
 
 		rs->sr_err = slap_map_api2result( rs );
 		if ( rs->sr_err != LDAP_SUCCESS ) {
+			char *xtext = NULL;
+			rs->sr_text = "Failure to execute SASL bind to remote target.";
+			ldap_get_option( msc->msc_ld,
+							 LDAP_OPT_DIAGNOSTIC_MESSAGE, &xtext );
+			if ( xtext != NULL && xtext [ 0 ] == '\0' ) {
+				ldap_memfree( xtext );
+				xtext = NULL;
+			}
+
 			if ( LogTest( asyncmeta_debug ) ) {
 				char	time_buf[ SLAP_TEXT_BUFLEN ];
 				asyncmeta_get_timestamp(time_buf);
-				Debug( asyncmeta_debug, "[%s] asyncmeta_back_proxy_authz_cred failed bind msc: %p\n",
-				      time_buf, msc );
+				Debug( asyncmeta_debug, "[%s] asyncmeta_back_proxy_authz_cred failed bind msc: %p with message %s\n",
+					   time_buf, msc,  (xtext ? xtext : "") );
 			}
+			if ( xtext )
+				ldap_memfree( xtext );
+
 			LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
 			if ( sendok & LDAP_BACK_SENDERR ) {
 				send_ldap_result( op, rs );
@@ -1701,10 +1712,13 @@ asyncmeta_dobind_init_with_retry(Operation *op, SlapReply *rs, bm_context_t *bc,
 retry_dobind:
 	ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex );
 	rc = asyncmeta_dobind_init(op, rs, bc, mc, candidate);
-	if (rs->sr_err != LDAP_UNAVAILABLE && rs->sr_err != LDAP_BUSY) {
+	if (rs->sr_err != LDAP_UNAVAILABLE &&
+		rs->sr_err != LDAP_BUSY &&
+		rs->sr_err != LDAP_OTHER ) {
 		ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex );
 		return rc;
-	} else if (bc->nretries[candidate] == 0) {
+	} else if ( bc->nretries[candidate] == 0 ||
+				rs->sr_err == LDAP_OTHER ) {
 		char	buf[ SLAP_TEXT_BUFLEN ];
 		snprintf( buf, sizeof( buf ), "called from %s:%d", __FILE__, __LINE__ );
 		asyncmeta_reset_msc(NULL, mc, candidate, 0, buf);
-- 
2.47.2