From da725c7308fc1a98c2a2849e6dd6d4cd99eb0921 Mon Sep 17 00:00:00 2001 From: Anatoly Zaretsky Date: Tue, 21 Mar 2023 05:03:16 +0200 Subject: [PATCH v1] Remove unnecessary unbind in LDAP search+bind mode --- doc/src/sgml/client-auth.sgml | 6 +++--- src/backend/libpq/auth.c | 25 ------------------------- 2 files changed, 3 insertions(+), 28 deletions(-) diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index b9d73deced..3e86b8eb65 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1775,13 +1775,13 @@ omicron bryanh guest1 do an exact match of the attribute specified in ldapsearchattribute. Once the user has been found in - this search, the server disconnects and re-binds to the directory as + this search, the server re-binds to the directory as this user, using the password specified by the client, to verify that the login is correct. This mode is the same as that used by LDAP authentication schemes in other software, such as Apache mod_authnz_ldap and pam_ldap. This method allows for significantly more flexibility in where the user objects are located in the directory, but will cause - two separate connections to the LDAP server to be made. + two additional requests to the LDAP server to be made. @@ -2008,7 +2008,7 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse the LDAP server, perform a search for (uid=someuser) under the specified base DN. If an entry is found, it will then attempt to bind using that found information and the password supplied by the client. - If that second connection succeeds, the database access is granted. + If that second bind succeeds, the database access is granted. diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index bc0cf26b12..a949258717 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -2599,31 +2599,6 @@ CheckLDAPAuth(Port *port) pfree(filter); ldap_memfree(dn); ldap_msgfree(search_message); - - /* Unbind and disconnect from the LDAP server */ - r = ldap_unbind_s(ldap); - if (r != LDAP_SUCCESS) - { - ereport(LOG, - (errmsg("could not unbind after searching for user \"%s\" on server \"%s\"", - fulluser, server_name))); - pfree(passwd); - pfree(fulluser); - return STATUS_ERROR; - } - - /* - * Need to re-initialize the LDAP connection, so that we can bind to - * it with a different username. - */ - if (InitializeLDAPConnection(port, &ldap) == STATUS_ERROR) - { - pfree(passwd); - pfree(fulluser); - - /* Error message already sent */ - return STATUS_ERROR; - } } else fulluser = psprintf("%s%s%s", base-commit: 8fba928fd78856712f69d96852f8061e77390fda -- 2.37.1 (Apple Git-137.1)