apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Leaving LDAP connections as bound
Date Tue, 07 Aug 2001 23:00:38 GMT
(A repost - not sure if this got out)


I have a security related question related to the way the APR_LDAP
library in apr-util should work.

The library implements a list of open LDAP connections - the idea is
that connections should be reused where this is possible.

The behavior at the moment after a module has completed whatever it
needed to do (such as authentication) is to unbind from the user who
bound, but stay connected so that the connection can be reused.

The question is: Is unbinding (logging out, effectively) necessary?

The reason I ask, is that I have the following senario in mind:

The mod_auth_ldap module (coming soon) makes a connection to the LDAP
server, then binds as the specified system account (could be anonymous).
It then performs whatever magic it needs to to authenticate and
authorise a user, and finishes by unbinding.

Down the line, the LDAP extension to mod_proxy runs (coming soon), which
embeds attributes into mod_include (potentially). This new module would
then rebind again - reusing the same connection that mod_auth_ldap used.

Could we not cut out the unbind so that downstream modules deed not
rebind? Is this a security risk leaving bound LDAP connections floating
around inside the server?

Is keeping connections across modules a good idea, or should we rather
just keep connections open for each module?

minfrin@sharp.fm		"There's a moon
					over Bourbon Street
View raw message