ITS#9468 back-ldap: Return disconect if rebind cannot be done

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 1d29dfa10d89de8c7d3b58723b6f120e7e6657b6..f9348002116a2e3668e3d964a3e59b94c5628951 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1482,9 +1482,25 @@ retry_lock:;
 retry:;
        if ( BER_BVISNULL( &lc->lc_cred ) ) {
                tmp_dn = "";
+               /*
+                * Bind is requested with DN but without credentials.
+                * This can happen when connection to remote server has been
+                * lost either due to remote server disconnecting it or due to
+                * proxy disconnecting it by itself (idle-timeout, conn-ttl).
+                */
                if ( !BER_BVISNULL( &lc->lc_bound_ndn ) && !BER_BVISEMPTY( &lc->lc_bound_ndn ) ) {
-                       Debug( LDAP_DEBUG_ANY, "%s ldap_back_dobind_int: DN=\"%s\" without creds, binding anonymously",
-                               op->o_log_prefix, lc->lc_bound_ndn.bv_val );
+                       Debug( LDAP_DEBUG_ANY,
+                              "%s ldap_back_dobind_int: DN=\"%s\" connection "
+                              "was re-established but cannot rebind without creds\n",
+                              op->o_log_prefix, lc->lc_bound_ndn.bv_val );
+                       rs->sr_text = "Proxy lost connection to remote server";
+                       rs->sr_err = LDAP_UNAVAILABLE;
+                       if ( sendok & LDAP_BACK_SENDERR ) {
+                               send_ldap_result( op, rs );
+                       }
+                       rs->sr_err = SLAPD_DISCONNECT;
+                       rc = 0;
+                       goto done;
                }
 
        } else {