Do not attempt to use START_TLS on SSL connections

Not all LDAP servers are capable of handling dual-encryption with
both TLS and SSL.

https://fedorahosted.org/sssd/ticket/795

1 files changed, 17 insertions, 9 deletions

diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index f4bbabf6b..e45d5b3ed 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -547,15 +547,23 @@ static void auth_resolve_done(struct tevent_req *subreq)
         return;
     }
 
-    /* Check for undocumented debugging feature to disable TLS
-     * for authentication. This should never be used in production
-     * for obvious reasons.
-     */
-    use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
-    if (!use_tls) {
-        sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
-                               "insecure connection. This should be done "
-                               "for debugging purposes only.");
+    /* Determine whether we need to use TLS */
+    if (sdap_is_secure_uri(state->ctx->service->uri)) {
+        DEBUG(8, ("[%s] is a secure channel. No need to run START_TLS\n",
+                  state->ctx->service->uri));
+        use_tls = false;
+    } else {
+
+        /* Check for undocumented debugging feature to disable TLS
+         * for authentication. This should never be used in production
+         * for obvious reasons.
+         */
+        use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS);
+        if (!use_tls) {
+            sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over "
+                                   "insecure connection. This should be done "
+                                   "for debugging purposes only.");
+        }
     }
 
     subreq = sdap_connect_send(state, state->ev, state->ctx->opts,