Don't let login_ldap fallback to cleartext if StartTLS failed (e.g. bad

hostname/certificate).

"hard TLS" (SSL-wrapped LDAP, aka ldaps://) is already handled correctly.

sysutils/login_ldap/Makefile

@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.22 2015/10/27 12:48:58 sthen Exp $
+# $OpenBSD: Makefile,v 1.23 2015/10/27 13:31:16 sthen Exp $
 
 COMMENT=	provide ldap authentication type
 
 DISTNAME=	login_ldap-3.51
-REVISION=	7
+REVISION=	8
 CATEGORIES=	sysutils
 
 HOMEPAGE=	http://sourceforge.net/projects/login-ldap/

sysutils/login_ldap/patches/patch-util_c

@@ -0,0 +1,33 @@
+$OpenBSD: patch-util_c,v 1.1 2015/10/27 13:31:16 sthen Exp $
+
+Don't fallback to cleartext if StartTLS failed.
+"hard TLS" (SSL-wrapped LDAP, aka ldaps://) is already handled correctly.
+
+--- util.c.orig	Tue Oct 27 13:09:52 2015
++++ util.c	Tue Oct 27 13:27:47 2015
+@@ -183,11 +183,11 @@ do_conn(struct auth_ctx *ctx)
+ 
+ 	/* 
+ 	 * it would be better to use ldap_init here as the manpages state
+-	 * ldap_open will be depreciated. however, if the server is 
++	 * ldap_open will be deprecated. however, if the server is 
+ 	 * unavailable we wont know till we try to bind when we use ldap_init,
+ 	 * which makes a mess of check alternate servers from login.conf. so,
+ 	 * we use ldap_open which will let us know straight away if a server 
+-	 * is unreachable servers. XXX gibberish
++	 * is unreachable.
+ 	 *
+ 	 * the other option is to use ldap_initalize() and ldap_open_defconn()
+ 	 * but since they are undocumented im avoiding them.
+@@ -212,8 +212,10 @@ do_conn(struct auth_ctx *ctx)
+ 	if (ctx->s.mode == MODE_STARTTLS) {
+ 		dlog(1, "starttls!");
+ 		rc = ldap_start_tls_s(ctx->ld, NULL, NULL);
+-		if (rc != LDAP_SUCCESS)
++		if (rc != LDAP_SUCCESS) {
+ 			dlog(0, "could not start tls!");
++			return(0);
++		}
+ 	}
+ 	return(1);
+ }