| From: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
|---|---|
| To: | Anatoly Zaretsky <anatoly(dot)zaretsky(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCH] Remove unnecessary unbind in LDAP search+bind mode |
| Date: | 2023-07-09 06:57:37 |
| Message-ID: | ef00389e-d23d-c01f-e19d-0c16284804f8@eisentraut.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 03.07.23 11:53, Peter Eisentraut wrote:
> On 23.03.23 02:45, Anatoly Zaretsky wrote:
>> Comments in src/backend/libpq/auth.c [1] say:
>> (after successfully finding the final DN to check the user-supplied
>> password against)
>> /* Unbind and disconnect from the LDAP server */
>> and later
>> /*
>> * Need to re-initialize the LDAP connection, so that we can bind to
>> * it with a different username.
>> */
>>
>> But the protocol actually permits multiple subsequent authentications
>> ("binds" in LDAP parlance) over a single connection [2].
>> Moreover, inspection of the code revision history of mod_authnz_ldap,
>> pam_ldap, Bugzilla, and MediaWiki LDAP authentication plugin, shows
>> that they've been doing this bind-after-search over the same LDAP
>> connection for ~20 years without any evidence of interoperability
>> troubles.
>
>> So, it seems like the whole connection re-initialization thing was
>> just a confusion caused by this very unfortunate "historical"
>> naming, and can be safely removed, thus saving quite a few
>> network round-trips, especially for the case of ldaps/starttls.
>
> Your reasoning and your patch look correct to me.
committed
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gurjeet Singh | 2023-07-09 07:01:03 | Re: BUG #18016: REINDEX TABLE failure |
| Previous Message | Thomas Munro | 2023-07-09 06:35:39 | Re: check_strxfrm_bug() |