s4:ldap_server: move invalid credential handling before the success handling.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index fb4593de95f4243c236473eb6f0bcb38fd30b3ca..e36cb1cebf69b66367776581d0cfd2a49fe67a66 100644 (file)
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -424,7 +424,21 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
                result = LDAP_SASL_BIND_IN_PROGRESS;
                errstr = NULL;
                goto do_reply;
-       } else if (NT_STATUS_IS_OK(status)) {
+       }
+
+       if (!NT_STATUS_IS_OK(status)) {
+               status = nt_status_squash(status);
+               if (result == 0) {
+                       result = LDAP_INVALID_CREDENTIALS;
+                       errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_LOGON_DENIED,
+                                                       0x0C0904DC, status);
+               }
+               talloc_unlink(conn, conn->gensec);
+               conn->gensec = NULL;
+               goto do_reply;
+       }
+
+       {
                struct ldapsrv_sasl_postprocess_context *context = NULL;
 
                result = LDAP_SUCCESS;
@@ -544,16 +558,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
                }
                talloc_unlink(conn, conn->gensec);
                conn->gensec = NULL;
-       } else {
-               status = nt_status_squash(status);
-               if (result == 0) {
-                       result = LDAP_INVALID_CREDENTIALS;
-                       errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_LOGON_DENIED,
-                                                       0x0C0904DC, status);
-               }
-               talloc_unlink(conn, conn->gensec);
-               conn->gensec = NULL;
-               goto do_reply;
        }
 
 do_reply: