summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Eisentraut2023-07-09 06:22:34 +0000
committerPeter Eisentraut2023-07-09 06:51:46 +0000
commitf8d03ea727e48c894174c4e5e6ebafc3a17ab3f7 (patch)
treebe1e69c5a7e81c800da5c867c4fbe6f6c973be32
parent89333db963af20988fc407463ea626b1c41404e8 (diff)
Remove unnecessary unbind in LDAP search+bind mode
Comments in src/backend/libpq/auth.c say: (after successfully finding the final DN to check the user-supplied password against) /* Unbind and disconnect from the LDAP server */ and later /* * Need to re-initialize the LDAP connection, so that we can bind to * it with a different username. */ But the protocol actually permits multiple subsequent authentications ("binds") over a single connection. So, it seems like the whole connection re-initialization thing was just a confusion and can be safely removed, thus saving quite a few network round-trips, especially for the case of ldaps/starttls. Author: Anatoly Zaretsky <[email protected]> Discussion: https://www.postgresql.org/message-id/flat/CALbq6kmJ-1+58df4B51ctPfTOSyPbY8Qi2=ct8oR=i4TamkUoQ@mail.gmail.com
-rw-r--r--doc/src/sgml/client-auth.sgml6
-rw-r--r--src/backend/libpq/auth.c25
2 files changed, 3 insertions, 28 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 204d09df67..1f2fdcb4f5 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1775,13 +1775,13 @@ omicron bryanh guest1
do an exact match of the attribute specified in
<replaceable>ldapsearchattribute</replaceable>.
Once the user has been found in
- this search, the server disconnects and re-binds to the directory as
+ this search, the server re-binds to the directory as
this user, using the password specified by the client, to verify that the
login is correct. This mode is the same as that used by LDAP authentication
schemes in other software, such as Apache <literal>mod_authnz_ldap</literal> and <literal>pam_ldap</literal>.
This method allows for significantly more flexibility
in where the user objects are located in the directory, but will cause
- two separate connections to the LDAP server to be made.
+ two additional requests to the LDAP server to be made.
</para>
<para>
@@ -2008,7 +2008,7 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
the LDAP server, perform a search for <literal>(uid=someuser)</literal>
under the specified base DN. If an entry is found, it will then attempt to
bind using that found information and the password supplied by the client.
- If that second connection succeeds, the database access is granted.
+ If that second bind succeeds, the database access is granted.
</para>
<para>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a98b934a8e..2b119e9ca4 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -2611,31 +2611,6 @@ CheckLDAPAuth(Port *port)
pfree(filter);
ldap_memfree(dn);
ldap_msgfree(search_message);
-
- /* Unbind and disconnect from the LDAP server */
- r = ldap_unbind_s(ldap);
- if (r != LDAP_SUCCESS)
- {
- ereport(LOG,
- (errmsg("could not unbind after searching for user \"%s\" on server \"%s\"",
- fulluser, server_name)));
- pfree(passwd);
- pfree(fulluser);
- return STATUS_ERROR;
- }
-
- /*
- * Need to re-initialize the LDAP connection, so that we can bind to
- * it with a different username.
- */
- if (InitializeLDAPConnection(port, &ldap) == STATUS_ERROR)
- {
- pfree(passwd);
- pfree(fulluser);
-
- /* Error message already sent */
- return STATUS_ERROR;
- }
}
else
fulluser = psprintf("%s%s%s",