From 1dca769ab6421b3c5edf4da5fc66e022b4a1177c Mon Sep 17 00:00:00 2001
Message-Id: <1dca769ab6421b3c5edf4da5fc66e022b4a1177c.1492527639.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Tue, 18 Apr 2017 15:39:49 +0200
Subject: [PATCH] Bug #43459 bind: Assert encrypted connection
Organization: Univention GmbH, Bremen, Germany

Make sure the connection is encrypted if 'x-tls' is given. Otherwise the
connections stays unencrypted and the password is transmitted
unprotected in clear text.
---
 bin/named/ldapdb.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/bin/named/ldapdb.c b/bin/named/ldapdb.c
index 3cfff9cbb1..e1bf40dc73 100644
--- a/bin/named/ldapdb.c
+++ b/bin/named/ldapdb.c
@@ -282,9 +282,21 @@ ldapdb_bind(const char *zone, struct ldapdb_data *data, LDAP **ldp) {
 	/* -- Start TLS. -- */
 #ifdef LDAPDB_TLS
 	if (data->tls) {
-	  ldap_start_tls_s(*ldp, NULL, NULL);
-	  isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(2),
-					"LDAP sdb zone '%s': ldapdb_bind(): Started TLS", zone);
+	  if ((rc = ldap_start_tls_s(*ldp, NULL, NULL)) == LDAP_SUCCESS) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(2),
+					  "LDAP sdb zone '%s': ldapdb_bind(): Started TLS", zone);
+	  } else {
+		char *msg = NULL;
+		ldap_get_option(*ldp, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void *)&msg);
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_ERROR,
+					  "LDAP sdb zone '%s': ldapdb_bind(): ldap_start_tls_s() failed: %s",
+					  zone, msg);
+		ldap_memfree(msg);
+
+		ldap_unbind_ext(*ldp, NULL, NULL);
+		*ldp = NULL;
+		goto try_bind_again;
+	  }
 	}
 #endif
 	
-- 
2.11.0