lists.arthurdejong.org
RSS feed

Re: Two concurrent sessions seen with 'threads=1'

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Two concurrent sessions seen with 'threads=1'



On Tue, 2017-11-14 at 05:34 +0000, anshuman.manral@wipro.com wrote:
> When we set the config parameter 'threads' to a value of '1', we
> observed that two LDAP sessions are still established (expected 1).
> Digging further into the code, observed that when a password is
> entered, a new session is intentionally triggered in the try_bind()
> function, over and above the already established session for the
> login.
> Wondering why we cannot use the existing session. Could you please
> clarify?

The most important reason for this is that the two LDAP connections do
not use the same credentials (one for lookups which can use a dedicated
account or anonymous and one for the user). There are also different
fail-over conditions for the two connections which make it simpler to
have two connections.

Also, I don't think you can go from one authenticated connection to an
unauthenticated (anonymous) one and I'm not sure about changing the
credentials on an existing connection. Some LDAP servers also do not
return very useful information on BIND failure which means there are
risks that a specific connection is actually authenticated differently
than expected.

Since this whole thing is security sensitive I tend to err on the side
of caution.

Hope this clarifies things,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/