From 97217da5e32c1a9990dcb06d14df91409d777991 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Fri, 5 Mar 2021 10:51:28 +0200
Subject: [PATCH] ITS#9468 back-ldap: Return disconect if rebind cannot be done

---
 servers/slapd/back-ldap/bind.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 1d29dfa10d..f934800211 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1482,9 +1482,25 @@ retry_lock:;
 retry:;
 	if ( BER_BVISNULL( &lc->lc_cred ) ) {
 		tmp_dn = "";
+		/*
+		 * Bind is requested with DN but without credentials.
+		 * This can happen when connection to remote server has been
+		 * lost either due to remote server disconnecting it or due to
+		 * proxy disconnecting it by itself (idle-timeout, conn-ttl).
+		 */
 		if ( !BER_BVISNULL( &lc->lc_bound_ndn ) && !BER_BVISEMPTY( &lc->lc_bound_ndn ) ) {
-			Debug( LDAP_DEBUG_ANY, "%s ldap_back_dobind_int: DN=\"%s\" without creds, binding anonymously",
-				op->o_log_prefix, lc->lc_bound_ndn.bv_val );
+			Debug( LDAP_DEBUG_ANY,
+			       "%s ldap_back_dobind_int: DN=\"%s\" connection "
+			       "was re-established but cannot rebind without creds\n",
+			       op->o_log_prefix, lc->lc_bound_ndn.bv_val );
+			rs->sr_text = "Proxy lost connection to remote server";
+			rs->sr_err = LDAP_UNAVAILABLE;
+			if ( sendok & LDAP_BACK_SENDERR ) {
+				send_ldap_result( op, rs );
+			}
+			rs->sr_err = SLAPD_DISCONNECT;
+			rc = 0;
+			goto done;
 		}
 
 	} else {