ITS#9468 summarize discussion about rebind-as-user

servers/slapd/back-ldap/bind.c

@@ -1487,6 +1487,7 @@ retry:;
 		 * This can happen when connection to remote server has been
 		 * lost either due to remote server disconnecting it or due to
 		 * proxy disconnecting it by itself (idle-timeout, conn-ttl).
+		 * See comment in ldap_back_conn_prune().
 		 */
 		if ( !BER_BVISNULL( &lc->lc_bound_ndn ) && !BER_BVISEMPTY( &lc->lc_bound_ndn ) ) {
 			Debug( LDAP_DEBUG_ANY,
@@ -3090,6 +3091,22 @@ ldap_back_conn_expire_time( ldapinfo_t *li, ldapconn_t *lc) {
 	return -1;
 }
 
+/*
+ * Iterate though connections and close those that are pass the expiry time.
+ * Also calculate the time for next connection to to expire.
+ *
+ * Note:
+ * When the client sends a request after remote connection is pruned, a new
+ * connection is created but bind cannot be replayed even if "rebind-as-user"
+ * was set to "yes". The client credentials are stored in ldapconn_t and lost
+ * when the connection is freed.
+ *
+ * LDAP_DISCONNECT is sent to signal the client that it needs to reconnect to
+ * the proxy and rebind itself (see "Bind is requested with DN but without
+ * credentials" in ldap_back_dobind_int()). Better implementation would not
+ * free ldapconn_t but instead just close the socket. This is not implemented
+ * currently as it is considerable work for what is assumed to be a corner case.
+ */
 static void
 ldap_back_conn_prune( ldapinfo_t *li )
 {
@@ -3098,10 +3115,6 @@ ldap_back_conn_prune( ldapinfo_t *li )
 	TAvlnode	*edge;
 	int		c;
 
-	/*
-	 * Iterate though connections and close those that are pass the expiry time.
-	 * Also calculate the time for next connection to to expire.
-	 */
 	ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex );
 
 	for ( c = LDAP_BACK_PCONN_FIRST; c < LDAP_BACK_PCONN_LAST; c++ ) {