From: Nick Porter <nick@portercomputing.co.uk>
Date: Thu, 13 Apr 2023 15:43:25 +0000 (+0100)
Subject: Only need trunk for lookups if we don't have a cached DN
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c47e03cab52b8ca99b84dc53fc293037b9573a9d;p=thirdparty%2Ffreeradius-server.git

Only need trunk for lookups if we don't have a cached DN

If the cached DN is already in the control list, then there is no need
to perform any lookup queries - just the auth bind will be done, which
is not on the trunk used for queries.
---

diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index 48ce9694ce..d2e5221db2 100644
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -277,7 +277,6 @@ typedef struct {
 	char const		*password;
 	rlm_ldap_t const	*inst;
 	fr_ldap_thread_t	*thread;
-	fr_ldap_thread_trunk_t	*ttrunk;
 	ldap_auth_mod_env_t	*mod_env;
 } ldap_auth_ctx_t;
 
@@ -1119,13 +1118,19 @@ cleanup:
 /** Perform async lookup of user DN if required for authentication
  *
  */
-static unlang_action_t mod_authenticate_start(UNUSED rlm_rcode_t *p_result, UNUSED int *priority,
+static unlang_action_t mod_authenticate_start(rlm_rcode_t *p_result, UNUSED int *priority,
 					      request_t *request, void *uctx)
 {
-	ldap_auth_ctx_t	*auth_ctx = talloc_get_type_abort(uctx, ldap_auth_ctx_t);
+	ldap_auth_ctx_t		*auth_ctx = talloc_get_type_abort(uctx, ldap_auth_ctx_t);
+	fr_ldap_thread_trunk_t	*ttrunk;
+	rlm_ldap_t const 	*inst = auth_ctx->inst;
+
+	ttrunk = fr_thread_ldap_trunk_get(auth_ctx->thread, inst->handle_config.server, inst->handle_config.admin_identity,
+					  inst->handle_config.admin_password, request, &inst->handle_config);
+	if (!ttrunk) RETURN_MODULE_FAIL;
 
 	return rlm_ldap_find_user_async(auth_ctx, auth_ctx->inst, request, &auth_ctx->mod_env->user_base,
-					&auth_ctx->mod_env->user_filter, auth_ctx->ttrunk, NULL, NULL);
+					&auth_ctx->mod_env->user_filter, ttrunk, NULL, NULL);
 }
 
 /** Initiate async LDAP bind to authenticate user
@@ -1176,7 +1181,6 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
 {
 	rlm_ldap_t const 	*inst = talloc_get_type_abort_const(mctx->inst->data, rlm_ldap_t);
 	fr_ldap_thread_t	*thread = talloc_get_type_abort(module_rlm_thread_by_data(inst)->data, fr_ldap_thread_t);
-	fr_ldap_thread_trunk_t	*ttrunk = NULL;
 	ldap_auth_ctx_t		*auth_ctx;
 	ldap_auth_mod_env_t	*mod_env = talloc_get_type_abort(mctx->env_data, ldap_auth_mod_env_t);
 
@@ -1223,10 +1227,6 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
 		RDEBUG2("Login attempt with password");
 	}
 
-	ttrunk =  fr_thread_ldap_trunk_get(thread, inst->handle_config.server, inst->handle_config.admin_identity,
-					   inst->handle_config.admin_password, request, &inst->handle_config);
-	if (!ttrunk) RETURN_MODULE_FAIL;
-
 	RDEBUG2("Login attempt by \"%pV\"", &username->data);
 
 	auth_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), ldap_auth_ctx_t);
@@ -1234,8 +1234,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result,
 		.password = password->vp_strvalue,
 		.thread = thread,
 		.inst = inst,
-		.mod_env = mod_env,
-		.ttrunk = ttrunk
+		.mod_env = mod_env
 	};
 
 	/*