From 23af2c36e23be325fcd70f1b58a22250b9afa0c7 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Mon, 19 Jun 2017 16:09:41 -0700
Subject: [PATCH] ITS#8675 - Fix tools to not continue on TLS error

The spec says that upon StartTLS 'success', both TLS communications is
established on the octet following the Start TLS response (and the
request)... and that once one starts TLS communications, one can never
go back to LDAP without TLS. So if there's a TLS failure (whether as
part of TLS nego or later), LDAP communications cannot be continued
(without TLS).

Only ignoring LDAP errors (rc > 0) ensures that if TLS negotiation
fails, we don't attempt to send LDAP operations without TLS.
---
 clients/tools/common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clients/tools/common.c b/clients/tools/common.c
index 67088ebfec..518017ae6b 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -1451,7 +1451,7 @@ dnssrv_free:;
 				ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
 				tool_perror( "ldap_start_tls", rc, NULL, NULL, msg, NULL );
 				ldap_memfree(msg);
-				if ( use_tls > 1 ) {
+				if ( use_tls > 1 || rc < 0 ) {
 					tool_exit( ld, EXIT_FAILURE );
 				}
 			}