3 files changed, 9 insertions, 1 deletions

diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 47b2208880..7287e3d998 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -1054,12 +1054,18 @@ static int smbldap_connect_system(struct smbldap_state *ldap_state, LDAP * ldap_
 	int version;
 
 	if (!ldap_state->anonymous && !ldap_state->bind_dn) {
+		char *bind_dn = NULL;
+		char *bind_secret = NULL;
 
 		/* get the default dn and password only if they are not set already */
-		if (!fetch_ldap_pw(&ldap_state->bind_dn, &ldap_state->bind_secret)) {
+		if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
 			DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
 			return LDAP_INVALID_CREDENTIALS;
 		}
+		smbldap_set_creds(ldap_state, false, bind_dn, bind_secret);
+		SAFE_FREE(bind_dn);
+		memset(bind_secret, '\0', strlen(bind_secret));
+		SAFE_FREE(bind_secret);
 	}
 
 	/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite 
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 8b87c2cd4c..29e0662396 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -891,6 +891,7 @@ bool fetch_ldap_pw(char **dn, char** pw)
 	if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) {
 		SAFE_FREE(*dn);
 		DEBUG(0, ("fetch_ldap_pw: asprintf failed!\n"));
+		return false;
 	}
 
 	*pw=(char *)secrets_fetch(key, &size);
diff --git a/source3/winbindd/idmap_ldap.c b/source3/winbindd/idmap_ldap.c
index 3d1dd488d6..375c04a0bf 100644
--- a/source3/winbindd/idmap_ldap.c
+++ b/source3/winbindd/idmap_ldap.c
@@ -131,6 +131,7 @@ static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
 			DEBUG(2, ("get_credentials: Failed to lookup ldap "
 				  "bind creds. Using anonymous connection.\n"));
 			anon = True;
+			*dn = NULL;
 		} else {
 			*dn = talloc_strdup(mem_ctx, user_dn);
 			SAFE_FREE( user_dn );