| From: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
|---|---|
| To: | Anatoly Zaretsky <anatoly(dot)zaretsky(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCH] Remove unnecessary unbind in LDAP search+bind mode |
| Date: | 2023-07-03 09:53:03 |
| Message-ID: | 0c969a5d-8f90-2e88-4abb-908a0ddde1ae@eisentraut.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 23.03.23 02:45, Anatoly Zaretsky wrote:
> Comments in src/backend/libpq/auth.c [1] say:
> (after successfully finding the final DN to check the user-supplied
> password against)
> /* Unbind and disconnect from the LDAP server */
> and later
> /*
> * Need to re-initialize the LDAP connection, so that we can bind to
> * it with a different username.
> */
>
> But the protocol actually permits multiple subsequent authentications
> ("binds" in LDAP parlance) over a single connection [2].
> Moreover, inspection of the code revision history of mod_authnz_ldap,
> pam_ldap, Bugzilla, and MediaWiki LDAP authentication plugin, shows that
> they've been doing this bind-after-search over the same LDAP connection
> for ~20 years without any evidence of interoperability troubles.
> So, it seems like the whole connection re-initialization thing was just
> a confusion caused by this very unfortunate "historical" naming, and can
> be safely removed, thus saving quite a few network round-trips,
> especially for the case of ldaps/starttls.
Your reasoning and your patch look correct to me.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jakub Wartak | 2023-07-03 09:53:56 | Re: Performance degradation on concurrent COPY into a single relation in PG16. |
| Previous Message | Peter Eisentraut | 2023-07-03 09:41:07 | Re: Improve list manipulation in several places |