Check if SSL/TLS handler is already in place

Authentication against a LDAP server should always use an
encrypted connection. To acchive this the LDAP provider calls
ldap_start_tls which will fail if the connection is already
encrypted, e.g. if an ldaps tunnel is already established.
Because the error message from ldap_start_tls is not specific we
check the status with ldap_tls_inplace before calling ldap_start_tls.

1 files changed, 8 insertions, 1 deletions

diff --git a/server/providers/ldap/sdap_async.c b/server/providers/ldap/sdap_async.c
index 1a0faf4ef..6ab88679f 100644
--- a/server/providers/ldap/sdap_async.c
+++ b/server/providers/ldap/sdap_async.c
@@ -578,10 +578,17 @@ static void sdap_connect_done(struct sdap_op *op,
     DEBUG(3, ("START TLS result: %s(%d), %s\n",
               ldap_err2string(state->result), state->result, errmsg));
 
+    if (ldap_tls_inplace(state->sh->ldap)) {
+        DEBUG(9, ("SSL/TLS handler already in place.\n"));
+        tevent_req_done(req);
+        return;
+    }
+
 /* FIXME: take care that ldap_install_tls might block */
     ret = ldap_install_tls(state->sh->ldap);
     if (ret != LDAP_SUCCESS) {
-        DEBUG(1, ("ldap_install_tls failed.\n"));
+        DEBUG(1, ("ldap_install_tls failed: [%d][%s]\n", ret,
+                  ldap_err2string(ret)));
         state->result = ret;
         tevent_req_error(req, EIO);
         return;