Ticket 47970 - Account lockout attributes incorrectly updated after failed SASL Bind

Bug Description:   When a SASL bind fails, the target DN is not set. If password policy
                   account lockout is configured, it attempts to update the password retry
                   count on the dn ("") - which is the Root DSE entry, not a user entry.

                   This also confuses the COS plugin, and it incorrectly triggers a COS
                   cache rebuild after the failed login.

Fix Description:  Do not update the password retry counters if it is a failed SASL bind.

https://fedorahosted.org/389/ticket/47970

Reviewed by: nhosoi(Thanks!)

ldap/servers/slapd/result.c

@@ -364,16 +364,18 @@ send_ldap_result_ext(
     BerElement          *ber
 )
 {
-	Connection	*conn = pb->pb_conn;
-	int		i, rc, logit = 0;
-	ber_tag_t	tag;
-	int             flush_ber_element = 1;
 	Slapi_Operation *operation;
-	const char *dn = NULL;
+	passwdPolicy *pwpolicy = NULL;
+	Connection *conn = pb->pb_conn;
 	Slapi_DN *sdn = NULL;
+	const char *dn = NULL;
+	ber_tag_t	tag;
+	int flush_ber_element = 1;
+	int bind_method = 0;
 	int internal_op;
-	passwdPolicy *pwpolicy = NULL;
-	
+	int i, rc, logit = 0;
+
+	slapi_pblock_get (pb, SLAPI_BIND_METHOD, &bind_method);
 	slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
 
 	if (operation->o_status == SLAPI_OP_STATUS_RESULT_SENT) {
@@ -451,7 +453,7 @@ send_ldap_result_ext(
 
 	/* invalid password.  Update the password retry here */
 	/* put this here for now.  It could be a send_result pre-op plugin. */
-	if (err == LDAP_INVALID_CREDENTIALS) {
+	if (err == LDAP_INVALID_CREDENTIALS && bind_method != LDAP_AUTH_SASL ) {
 		slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
 		dn = slapi_sdn_get_dn(sdn);
 		pwpolicy = new_passwdPolicy(pb, dn);