diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index a9462bb740..1a6a1e6eeb 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -1035,7 +1035,7 @@ backend_check_restrictions( if( requires & SLAP_REQUIRE_STRONG ) { /* should check mechanism */ if( ( op->o_transport_ssf < ssf->sss_transport - && op->o_authmech.bv_len == 0 ) || op->o_dn.bv_len == 0 ) + && op->o_authtype == LDAP_AUTH_SIMPLE ) || op->o_dn.bv_len == 0 ) { rs->sr_text = "strong authentication required"; rs->sr_err = LDAP_STRONG_AUTH_REQUIRED; @@ -1044,7 +1044,7 @@ backend_check_restrictions( } if( requires & SLAP_REQUIRE_SASL ) { - if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) { + if( op->o_authtype != LDAP_AUTH_SASL || op->o_dn.bv_len == 0 ) { rs->sr_text = "SASL authentication required"; rs->sr_err = LDAP_STRONG_AUTH_REQUIRED; return rs->sr_err; diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 15eae9758d..68d39f0766 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -684,8 +684,11 @@ do_bind( #endif /* defined( LDAP_SLAPI ) */ cleanup: - if ( rs->sr_err == LDAP_SUCCESS && method != LDAP_AUTH_SASL ) { - ber_dupbv( &op->o_conn->c_authmech, &mech ); + if ( rs->sr_err == LDAP_SUCCESS ) { + if ( method != LDAP_AUTH_SASL ) { + ber_dupbv( &op->o_conn->c_authmech, &mech ); + } + op->o_conn->c_authtype = method; } op->o_conn->c_sasl_bindop = NULL;