From 85a6e73695d6c16bdb896bbb4c7b95d1dc74de60 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 11 May 2017 21:14:00 +0200
Subject: [PATCH] s4:ldap_server: only set *resp->SASL.secblob = output for OK
 or MORE_PROCESSING_REQUIRED

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/ldap_server/ldap_bind.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 337ce125125..451f9d5b56b 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -419,9 +419,9 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 
 	status = gensec_update_ev(conn->gensec, reply, conn->connection->event.ctx,
 				  input, &output);
-	*resp->SASL.secblob = output;
 
 	if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
+		*resp->SASL.secblob = output;
 		result = LDAP_SASL_BIND_IN_PROGRESS;
 		errstr = NULL;
 		goto do_reply;
@@ -553,6 +553,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 	talloc_unlink(conn, conn->gensec);
 	conn->gensec = NULL;
 
+	*resp->SASL.secblob = output;
+
 do_reply:
 	if (result != LDAP_SASL_BIND_IN_PROGRESS) {
 		/*
-- 
2.47.2