Only need trunk for lookups if we don't have a cached DN

If the cached DN is already in the control list, then there is no need
to perform any lookup queries - just the auth bind will be done, which
is not on the trunk used for queries.

diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index 48ce9694ceff724b94cbe878777fa392ad0f42c3..d2e5221db2a3e8bafb3f5a69ab91430928094fc5 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -277,7 +277,6 @@ typedef struct {
        char const              *password;
        rlm_ldap_t const        *inst;
        fr_ldap_thread_t        *thread;
-       fr_ldap_thread_trunk_t  *ttrunk;
        ldap_auth_mod_env_t     *mod_env;
 } ldap_auth_ctx_t;
 
@@ -1119,13 +1118,19 @@ cleanup:
 /** Perform async lookup of user DN if required for authentication
  *
  */
-static unlang_action_t mod_authenticate_start(UNUSED rlm_rcode_t *p_result, UNUSED int *priority,
+static unlang_action_t mod_authenticate_start(rlm_rcode_t *p_result, UNUSED int *priority,
                                              request_t *request, void *uctx)
 {
-       ldap_auth_ctx_t *auth_ctx = talloc_get_type_abort(uctx, ldap_auth_ctx_t);
+       ldap_auth_ctx_t         *auth_ctx = talloc_get_type_abort(uctx, ldap_auth_ctx_t);
+       fr_ldap_thread_trunk_t  *ttrunk;
+       rlm_ldap_t const        *inst = auth_ctx->inst;
+
+       ttrunk = fr_thread_ldap_trunk_get(auth_ctx->thread, inst->handle_config.server, inst->handle_config.admin_identity,
+                                         inst->handle_config.admin_password, request, &inst->handle_config);
+       if (!ttrunk) RETURN_MODULE_FAIL;
 
        return rlm_ldap_find_user_async(auth_ctx, auth_ctx->inst, request, &auth_ctx->mod_env->user_base,
-                                       &auth_ctx->mod_env->user_filter, auth_ctx->ttrunk, NULL, NULL);
+                                       &auth_ctx->mod_env->user_filter, ttrunk, NULL, NULL);
 }
 
 /** Initiate async LDAP bind to authenticate user
@@ -1176,7 +1181,6 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
 {
        rlm_ldap_t const        *inst = talloc_get_type_abort_const(mctx->inst->data, rlm_ldap_t);
        fr_ldap_thread_t        *thread = talloc_get_type_abort(module_rlm_thread_by_data(inst)->data, fr_ldap_thread_t);
-       fr_ldap_thread_trunk_t  *ttrunk = NULL;
        ldap_auth_ctx_t         *auth_ctx;
        ldap_auth_mod_env_t     *mod_env = talloc_get_type_abort(mctx->env_data, ldap_auth_mod_env_t);
 
@@ -1223,10 +1227,6 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
                RDEBUG2("Login attempt with password");
        }
 
-       ttrunk =  fr_thread_ldap_trunk_get(thread, inst->handle_config.server, inst->handle_config.admin_identity,
-                                          inst->handle_config.admin_password, request, &inst->handle_config);
-       if (!ttrunk) RETURN_MODULE_FAIL;
-
        RDEBUG2("Login attempt by \"%pV\"", &username->data);
 
        auth_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), ldap_auth_ctx_t);
@@ -1234,8 +1234,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
                .password = password->vp_strvalue,
                .thread = thread,
                .inst = inst,
-               .mod_env = mod_env,
-               .ttrunk = ttrunk
+               .mod_env = mod_env
        };
 
        /*