Bug 633803 - passwordisglobalpolicy attribute brakes TLS chaining

https://bugzilla.redhat.com/show_bug.cgi?id=633803
Resolves: bug 633803
Bug Description: passwordisglobalpolicy attribute brakes TLS chaining
Reviewed by: nkinder (Thanks!)
Branch: master
Fix Description: If not binding in cb_get_connection, we need to explicitly
do the start_tls.  The start_tls and mechanism settings were not being
applied to the bind_pool connections.
I tried setting passwordIsGlobalPolicy on and off.  That did not seem to make
a difference.  I believe the problem is caused by the
nsslapd-require-secure-binds attribute set to "on".
setting.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no

ldap/servers/plugins/chainingdb/cb_conn_stateless.c

@@ -458,6 +458,24 @@ cb_get_connection(cb_conn_pool * pool,
 					}	
 					ldap_controls_free(serverctrls);
 				}
+			} else if (secure == 2) {
+				int rc;
+				/* the start_tls operation is usually performed in slapi_ldap_bind, but
+				   since we are not binding we still need to start_tls */
+				if (cb_debug_on()) {
+                			slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
+							 "<= cb_get_connection doing start_tls on connection 0x%p\n", conn );
+				}
+				if ((rc = ldap_start_tls_s(ld, NULL, NULL))) {
+					PRErrorCode prerr = PR_GetError();
+					slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM, 
+							"Unable to do start_tls on connection to %s:%d "
+							"LDAP error %d:%s NSS error %d:%s\n", hostname, port,
+							rc, ldap_err2string(rc), prerr,
+							slapd_pr_strerror(prerr));
+							
+					goto unlock_and_return;
+				}
 			}
 
 			conn = (cb_outgoing_conn *) slapi_ch_malloc(sizeof(cb_outgoing_conn));

ldap/servers/plugins/chainingdb/cb_instance.c

@@ -1391,6 +1391,7 @@ static int cb_instance_starttls_set(void *arg, void *value, char *errorbuf, int
 	if ((LDAP_SUCCESS == rc) && apply) {
 	        slapi_rwlock_wrlock(inst->rwl_config_lock);
 		inst->pool->starttls=(int) ((uintptr_t)value);
+		inst->bind_pool->starttls=inst->pool->starttls;
 	        slapi_rwlock_unlock(inst->rwl_config_lock);
 		if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) &&
     			( phase != CB_CONFIG_PHASE_STARTUP )) {
@@ -1443,6 +1444,9 @@ static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int
 			if (inst->pool->mech) {
 			    charray_add(&inst->pool->waste_basket,inst->pool->mech);
 			}
+			if (inst->bind_pool->mech) {
+			    charray_add(&inst->pool->waste_basket,inst->bind_pool->mech);
+			}
 			rc=CB_REOPEN_CONN;
 		}
 
@@ -1451,6 +1455,7 @@ static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int
 		} else {
 		    inst->pool->mech=slapi_ch_strdup((char *) value);
 		}
+		inst->bind_pool->mech = slapi_ch_strdup(inst->pool->mech);
                	slapi_rwlock_unlock(inst->rwl_config_lock);
 	}
 done: