--- samba-4.5.0.old/source4/ldap_server/ldap_bind.c	2016-09-29 23:58:02.724898331 -0700
+++ samba-4.5.0/source4/ldap_server/ldap_bind.c	2016-09-30 00:30:09.920911521 -0700
@@ -244,7 +244,29 @@
 			if (!context) {
 				status = NT_STATUS_NO_MEMORY;
 			}
-		}
+		} else {
+			switch (conn->require_strong_auth) {
+			case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
+				break;
+			case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
+				if (conn->sockets.active == conn->sockets.tls) {
+					break;
+				}
+				status = NT_STATUS_NETWORK_ACCESS_DENIED;
+				result = LDAP_STRONG_AUTH_REQUIRED;
+				errstr = talloc_asprintf(reply,
+						"SASL:[%s]: not allowed if TLS is used.",
+						 req->creds.SASL.mechanism);
+				break;
+			case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES:
+				status = NT_STATUS_NETWORK_ACCESS_DENIED;
+				result = LDAP_STRONG_AUTH_REQUIRED;
+				errstr = talloc_asprintf(reply,
+						 "SASL:[%s]: Sign or Seal are required.",
+						 req->creds.SASL.mechanism);
+				break;
+			}
+        }
 
 		if (context && conn->sockets.tls) {
 			TALLOC_FREE(context);
@@ -275,28 +297,6 @@
 					status = NT_STATUS_NO_MEMORY;
 				}
 			}
-		} else {
-			switch (call->conn->require_strong_auth) {
-			case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
-				break;
-			case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
-				if (call->conn->sockets.active == call->conn->sockets.tls) {
-					break;
-				}
-				status = NT_STATUS_NETWORK_ACCESS_DENIED;
-				result = LDAP_STRONG_AUTH_REQUIRED;
-				errstr = talloc_asprintf(reply,
-						"SASL:[%s]: not allowed if TLS is used.",
-						 req->creds.SASL.mechanism);
-				break;
-			case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES:
-				status = NT_STATUS_NETWORK_ACCESS_DENIED;
-				result = LDAP_STRONG_AUTH_REQUIRED;
-				errstr = talloc_asprintf(reply,
-						 "SASL:[%s]: Sign or Seal are required.",
-						 req->creds.SASL.mechanism);
-				break;
-			}
 		}
 
 		if (result != LDAP_SUCCESS) {