apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <jerenkra...@ebuilt.com>
Subject Re: Leaving LDAP connections as bound
Date Wed, 08 Aug 2001 21:33:41 GMT
On Wed, Aug 08, 2001 at 01:00:38AM +0200, Graham Leggett wrote:
> The behavior at the moment after a module has completed whatever it
> needed to do (such as authentication) is to unbind from the user who
> bound, but stay connected so that the connection can be reused.
> The question is: Is unbinding (logging out, effectively) necessary?
> The reason I ask, is that I have the following senario in mind:
> The mod_auth_ldap module (coming soon) makes a connection to the LDAP
> server, then binds as the specified system account (could be anonymous).
> It then performs whatever magic it needs to to authenticate and
> authorise a user, and finishes by unbinding.
> Down the line, the LDAP extension to mod_proxy runs (coming soon), which
> embeds attributes into mod_include (potentially). This new module would
> then rebind again - reusing the same connection that mod_auth_ldap used.
> Could we not cut out the unbind so that downstream modules deed not
> rebind? Is this a security risk leaving bound LDAP connections floating
> around inside the server?
> Is keeping connections across modules a good idea, or should we rather
> just keep connections open for each module?

Since I think LDAP connections are cheap (cf. database connections which
are typically very expensive to bring up), I don't think it'd be a
problem to just unbind/disconnect each time.  I think it makes sense to
have each module have its own separate LDAP connection - rather than
sharing them across the entire system.

However, if you are binding as the anonymous LDAP user, you could 
certainly just keep the connection open as there is no security risk at
all.  For non-anonymous bindings, I'd think it'd be best if you keep 
that connection open for as short a time as possible and don't reuse

My $.02.  You could really go any way you want with this.  -- justin

View raw message