[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Dual bind, single unbind?

Hallvard B Furuseth wrote:
Bjørn Ruberg writes:
slapd[28594]: op=0 BIND dn="cn=adm,dc=acme,dc=com" method=128
slapd[28594]: op=0 BIND dn="cn=adm,dc=acme,dc=com" mech=SIMPLE ssf=0

This is one Bind operation. Note that both have the same operation number. I suppose it's logged on two lines because there is too much info for one line.

This makes sense for logging purposes. However, it shouldn't count as two in the slapd-monitor backend. I am not sure that it does either, but these log entries are the best clues I have right now :)

I believe the first DN is the authentication identity - the DN you bound
with and gave a password for, and the second is the resulting
authorization identity - the one which gets access via "access"
statements etc.  Sometimes these can be different, when the server is
configured that way - e.g. with SASL binds.

OK, can this be reviewed somehow? Different log level, perhaps?

(The slapd I'm testing this against has just plain old simple auth, by the way.)

slapd[28594]: op=2 UNBIND

Note that Unbind is not the opposite of Bind, it really means "quit and terminate the session". The name is of historical origin, it made more sense in LDAPv2 than in v3.

But it should normally be one unbind for each bind, right? As long as the client behaves, that is.

Each Bind - even a failed Bind request - cancel any previous Bind.

...as the same DN I presume.

Thanks for your help so far.