Prevent TLS rebinding in LDAP connections

Bugzilla 1375

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9fb00a7071b76d28d1f4ca4d887242c7c0d07552..9d9f17d5b4b2df4b16ec0ea0929d4bfd7a8ce00e 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -220,6 +220,9 @@ JH/16 Fix comparisons for 64b.  Bugzilla 1385.
 TL/09 Add expansion variable $authenticated_fail_id to keep track of
       last id that failed so it may be referenced in subsequent ACL's.
 
+TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by
+      Alexander Miroch.
+
 
 Exim version 4.80.1
 -------------------

diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index 40345bafcbe56909f4291dd4b23a8162fa53875d..f121bce616cc1c2206382028034600ce62a4c7da 100644 (file)
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -81,6 +81,7 @@ typedef struct ldap_connection {
   uschar *password;
   BOOL  bound;
   int   port;
+  BOOL  is_start_tls_called;
   LDAP *ld;
 } LDAP_CONNECTION;
 
@@ -493,6 +494,7 @@ if (lcp == NULL)
   lcp->port = port;
   lcp->ld = ld;
   lcp->next = ldap_connections;
+  lcp->is_start_tls_called = FALSE;
   ldap_connections = lcp;
   }
 
@@ -519,7 +521,7 @@ if (!lcp->bound ||
   {
   DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n",
     (lcp->bound)? "re-" : "", user, password);
-  if (eldap_start_tls)
+  if (eldap_start_tls && !lcp->is_start_tls_called)
     {
 #if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
     /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this.
@@ -533,6 +535,7 @@ if (!lcp->bound ||
           " %s", host, porttext, rc, ldap_err2string(rc));
       goto RETURN_ERROR;
       }
+    lcp->is_start_tls_called = TRUE;
 #else
     DEBUG(D_lookup)
       debug_printf("TLS initiation not supported with this Exim and your LDAP library.\n");