From 06ed78713786be4a3bc065414c283e97d5c33a7d Mon Sep 17 00:00:00 2001 From: Tero Saarni Date: Mon, 10 May 2021 21:41:02 +0300 Subject: [PATCH] ITS#9468 summarize discussion about rebind-as-user --- servers/slapd/back-ldap/bind.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index f934800211..02541d7bfd 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -1487,6 +1487,7 @@ retry:; * This can happen when connection to remote server has been * lost either due to remote server disconnecting it or due to * proxy disconnecting it by itself (idle-timeout, conn-ttl). + * See comment in ldap_back_conn_prune(). */ if ( !BER_BVISNULL( &lc->lc_bound_ndn ) && !BER_BVISEMPTY( &lc->lc_bound_ndn ) ) { Debug( LDAP_DEBUG_ANY, @@ -3090,6 +3091,22 @@ ldap_back_conn_expire_time( ldapinfo_t *li, ldapconn_t *lc) { return -1; } +/* + * Iterate though connections and close those that are pass the expiry time. + * Also calculate the time for next connection to to expire. + * + * Note: + * When the client sends a request after remote connection is pruned, a new + * connection is created but bind cannot be replayed even if "rebind-as-user" + * was set to "yes". The client credentials are stored in ldapconn_t and lost + * when the connection is freed. + * + * LDAP_DISCONNECT is sent to signal the client that it needs to reconnect to + * the proxy and rebind itself (see "Bind is requested with DN but without + * credentials" in ldap_back_dobind_int()). Better implementation would not + * free ldapconn_t but instead just close the socket. This is not implemented + * currently as it is considerable work for what is assumed to be a corner case. + */ static void ldap_back_conn_prune( ldapinfo_t *li ) { @@ -3098,10 +3115,6 @@ ldap_back_conn_prune( ldapinfo_t *li ) TAvlnode *edge; int c; - /* - * Iterate though connections and close those that are pass the expiry time. - * Also calculate the time for next connection to to expire. - */ ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex ); for ( c = LDAP_BACK_PCONN_FIRST; c < LDAP_BACK_PCONN_LAST; c++ ) {