[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Dual bind, single unbind?

On Mon, 2005-10-10 at 23:50 +0200, BjÃrn Ruberg wrote:
> Hallvard B Furuseth wrote:
> > BjÃrn Ruberg writes:
> >> slapd[28594]: op=0 BIND dn="cn=adm,dc=acme,dc=com" method=128
> >> slapd[28594]: op=0 BIND dn="cn=adm,dc=acme,dc=com" mech=SIMPLE ssf=0
> > 
> > This is one Bind operation.  Note that both have the same operation
> > number.  I suppose it's logged on two lines because there is too much
> > info for one line.
> This makes sense for logging purposes. However, it shouldn't count as 
> two in the slapd-monitor backend.

It doesn't.  The monitor backend keeps track of the operations as
they're started and then completed by the frontend.  The fact that you
see more binds than unbinds may be related to many clients that are too
lazy to execute unbind.

>  I am not sure that it does either, but 
> these log entries are the best clues I have right now :)
> > I believe the first DN is the authentication identity - the DN you bound
> > with and gave a password for, and the second is the resulting
> > authorization identity - the one which gets access via "access"
> > statements etc.  Sometimes these can be different, when the server is
> > configured that way - e.g. with SASL binds.
> OK, can this be reviewed somehow? Different log level, perhaps?
> (The slapd I'm testing this against has just plain old simple auth, by 
> the way.)
> >> slapd[28594]: op=2 UNBIND
> > 
> > Note that Unbind is not the opposite of Bind, it really means "quit and
> > terminate the session".  The name is of historical origin, it made more
> > sense in LDAPv2 than in v3.
> But it should normally be one unbind for each bind, right?

No.  Normally, there should be one unbind per each "open".  You may
think that clients typically bind just once.  This may be not correct.
A typical client may open a connection; bind anonymously to query the
rootDSE and see what services a DSA provides (namingContexts, controls,
features, auth mechs and so) and then bind with some identity.  This
means two binds for one open; thus, if the client is clever enough,
you'll see just one unbind.

>  As long as 
> the client behaves, that is.
> > Each Bind - even a failed Bind request - cancel any previous Bind.
> ...as the same DN I presume.

as the bound DN.


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497