Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit1feff99

Browse files
committed
Improve LDAP cleanup code in error paths.
After calling ldap_unbind_s() we probably shouldn't try to use the LDAPconnection again to call ldap_get_option(), even if it failed. The OpenLDAPman page for ldap_unbind[_s] says "Once it is called, the connection to theLDAP server is closed, and the ld structure is invalid." Otherwise, as ageneral rule we should probably call ldap_unbind() before returning in allpaths to avoid leaking resources. It is unlikely there is any practicalleak problem since failure to authenticate currently results in the backendexiting soon afterwards.Author: Thomas MunroReviewed-By: Alvaro Herrera, Peter EisentrautDiscussion:https://postgr.es/m/20170914141205.eup4kxzlkagtmfac%40alvherre.pgsql
1 parent91d5f1a commit1feff99

File tree

1 file changed

+11
-9
lines changed

1 file changed

+11
-9
lines changed

‎src/backend/libpq/auth.c

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -2331,9 +2331,9 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
23312331

23322332
if ((r=ldap_set_option(*ldap,LDAP_OPT_PROTOCOL_VERSION,&ldapversion))!=LDAP_SUCCESS)
23332333
{
2334-
ldap_unbind(*ldap);
23352334
ereport(LOG,
23362335
(errmsg("could not set LDAP protocol version: %s",ldap_err2string(r))));
2336+
ldap_unbind(*ldap);
23372337
returnSTATUS_ERROR;
23382338
}
23392339

@@ -2360,18 +2360,18 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
23602360
* should never happen since we import other files from
23612361
* wldap32, but check anyway
23622362
*/
2363-
ldap_unbind(*ldap);
23642363
ereport(LOG,
23652364
(errmsg("could not load wldap32.dll")));
2365+
ldap_unbind(*ldap);
23662366
returnSTATUS_ERROR;
23672367
}
23682368
_ldap_start_tls_sA= (__ldap_start_tls_sA)GetProcAddress(ldaphandle,"ldap_start_tls_sA");
23692369
if (_ldap_start_tls_sA==NULL)
23702370
{
2371-
ldap_unbind(*ldap);
23722371
ereport(LOG,
23732372
(errmsg("could not load function _ldap_start_tls_sA in wldap32.dll"),
23742373
errdetail("LDAP over SSL is not supported on this platform.")));
2374+
ldap_unbind(*ldap);
23752375
returnSTATUS_ERROR;
23762376
}
23772377

@@ -2384,9 +2384,9 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
23842384
if ((r=_ldap_start_tls_sA(*ldap,NULL,NULL,NULL,NULL))!=LDAP_SUCCESS)
23852385
#endif
23862386
{
2387-
ldap_unbind(*ldap);
23882387
ereport(LOG,
23892388
(errmsg("could not start LDAP TLS session: %s",ldap_err2string(r))));
2389+
ldap_unbind(*ldap);
23902390
returnSTATUS_ERROR;
23912391
}
23922392
}
@@ -2491,6 +2491,7 @@ CheckLDAPAuth(Port *port)
24912491
{
24922492
ereport(LOG,
24932493
(errmsg("invalid character in user name for LDAP authentication")));
2494+
ldap_unbind(ldap);
24942495
pfree(passwd);
24952496
returnSTATUS_ERROR;
24962497
}
@@ -2508,6 +2509,7 @@ CheckLDAPAuth(Port *port)
25082509
ereport(LOG,
25092510
(errmsg("could not perform initial LDAP bind for ldapbinddn \"%s\" on server \"%s\": %s",
25102511
port->hba->ldapbinddn,port->hba->ldapserver,ldap_err2string(r))));
2512+
ldap_unbind(ldap);
25112513
pfree(passwd);
25122514
returnSTATUS_ERROR;
25132515
}
@@ -2533,6 +2535,7 @@ CheckLDAPAuth(Port *port)
25332535
ereport(LOG,
25342536
(errmsg("could not search LDAP for filter \"%s\" on server \"%s\": %s",
25352537
filter,port->hba->ldapserver,ldap_err2string(r))));
2538+
ldap_unbind(ldap);
25362539
pfree(passwd);
25372540
pfree(filter);
25382541
returnSTATUS_ERROR;
@@ -2554,6 +2557,7 @@ CheckLDAPAuth(Port *port)
25542557
count,
25552558
filter,port->hba->ldapserver,count)));
25562559

2560+
ldap_unbind(ldap);
25572561
pfree(passwd);
25582562
pfree(filter);
25592563
ldap_msgfree(search_message);
@@ -2570,6 +2574,7 @@ CheckLDAPAuth(Port *port)
25702574
ereport(LOG,
25712575
(errmsg("could not get dn for the first entry matching \"%s\" on server \"%s\": %s",
25722576
filter,port->hba->ldapserver,ldap_err2string(error))));
2577+
ldap_unbind(ldap);
25732578
pfree(passwd);
25742579
pfree(filter);
25752580
ldap_msgfree(search_message);
@@ -2585,12 +2590,9 @@ CheckLDAPAuth(Port *port)
25852590
r=ldap_unbind_s(ldap);
25862591
if (r!=LDAP_SUCCESS)
25872592
{
2588-
interror;
2589-
2590-
(void)ldap_get_option(ldap,LDAP_OPT_ERROR_NUMBER,&error);
25912593
ereport(LOG,
2592-
(errmsg("could not unbind after searching for user \"%s\" on server \"%s\": %s",
2593-
fulluser,port->hba->ldapserver,ldap_err2string(error))));
2594+
(errmsg("could not unbind after searching for user \"%s\" on server \"%s\"",
2595+
fulluser,port->hba->ldapserver)));
25942596
pfree(passwd);
25952597
pfree(fulluser);
25962598
returnSTATUS_ERROR;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp