From: Nick Porter Date: Mon, 28 Aug 2023 16:12:34 +0000 (+0100) Subject: SASL user binds do not need to look up the user DN X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b9ef95cb992773a4b7dfa75d84ad20ec4e4cee2;p=thirdparty%2Ffreeradius-server.git SASL user binds do not need to look up the user DN This means that if user binds use SASL, and the LDAP module has not already been called to retrieve the user object, there is no need to perform the initial lookup of the DN. So, in the case that LDAP's sole purpose is to perform authentication this reduces the number of LDAP calls made. --- diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index c4633a066b7..1b4c1432fee 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -1142,39 +1142,43 @@ static unlang_action_t mod_authenticate_resume(rlm_rcode_t *p_result, UNUSED int ldap_auth_ctx_t *auth_ctx = talloc_get_type_abort(uctx, ldap_auth_ctx_t); /* - * Arriving here from an LDAP search will mean the dn in auth_ctx is NULL. - */ - if (!auth_ctx->dn) auth_ctx->dn = rlm_find_user_dn_cached(request); - - /* - * No DN found - can't authenticate the user. - */ - if (!auth_ctx->dn) { - fail: - talloc_free(auth_ctx); - RETURN_MODULE_FAIL; - } - - RDEBUG2("Login attempt as \"%s\"", auth_ctx->dn); - - /* - * Attempt a bind using the thread specific trunk for bind auths + * SASL bind auth will have the mech set. */ if (auth_ctx->call_env->user_sasl_mech.type == FR_TYPE_STRING) { #ifdef WITH_SASL ldap_auth_call_env_t *call_env = auth_ctx->call_env; + + RDEBUG2("Login attept using identity \"%pV\"", &call_env->user_sasl_authname); + if (fr_ldap_sasl_bind_auth_async(request, auth_ctx->thread, call_env->user_sasl_mech.vb_strvalue, call_env->user_sasl_authname.vb_strvalue, auth_ctx->password, call_env->user_sasl_proxy.vb_strvalue, call_env->user_sasl_realm.vb_strvalue) < 0) goto fail; + return UNLANG_ACTION_PUSHED_CHILD; #else RDEBUG("Configuration item 'sasl.mech' is not supported. " "The linked version of libldap does not provide ldap_sasl_bind( function"); RETURN_MODULE_FAIL; #endif - } else { - if (fr_ldap_bind_auth_async(request, auth_ctx->thread, auth_ctx->dn, auth_ctx->password) < 0) goto fail; } + + /* + * Arriving here from an LDAP search will mean the dn in auth_ctx is NULL. + */ + if (!auth_ctx->dn) auth_ctx->dn = rlm_find_user_dn_cached(request); + + /* + * No DN found - can't authenticate the user with a simple bind. + */ + if (!auth_ctx->dn) { + fail: + talloc_free(auth_ctx); + RETURN_MODULE_FAIL; + } + + RDEBUG2("Login attempt as \"%s\"", auth_ctx->dn); + + if (fr_ldap_bind_auth_async(request, auth_ctx->thread, auth_ctx->dn, auth_ctx->password) < 0) goto fail; return UNLANG_ACTION_PUSHED_CHILD; } @@ -1231,7 +1235,8 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, */ auth_ctx->dn = rlm_find_user_dn_cached(request); - if (unlang_function_push(request, auth_ctx->dn ? NULL : mod_authenticate_start, mod_authenticate_resume, + if (unlang_function_push(request, auth_ctx->dn || (call_env->user_sasl_mech.type == FR_TYPE_STRING) ? + NULL : mod_authenticate_start, mod_authenticate_resume, NULL, 0, UNLANG_SUB_FRAME, auth_ctx) < 0) RETURN_MODULE_FAIL; return UNLANG_ACTION_PUSHED_CHILD;