Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 1feff99

Browse files
committed
Improve LDAP cleanup code in error paths.
After calling ldap_unbind_s() we probably shouldn't try to use the LDAP connection again to call ldap_get_option(), even if it failed. The OpenLDAP man page for ldap_unbind[_s] says "Once it is called, the connection to the LDAP server is closed, and the ld structure is invalid." Otherwise, as a general rule we should probably call ldap_unbind() before returning in all paths to avoid leaking resources. It is unlikely there is any practical leak problem since failure to authenticate currently results in the backend exiting soon afterwards. Author: Thomas Munro Reviewed-By: Alvaro Herrera, Peter Eisentraut Discussion: https://postgr.es/m/20170914141205.eup4kxzlkagtmfac%40alvherre.pgsql
1 parent 91d5f1a commit 1feff99

File tree

1 file changed

+11
-9
lines changed

1 file changed

+11
-9
lines changed

src/backend/libpq/auth.c

+11-9
Original file line numberDiff line numberDiff line change
@@ -2331,9 +2331,9 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
23312331

23322332
if ((r = ldap_set_option(*ldap, LDAP_OPT_PROTOCOL_VERSION, &ldapversion)) != LDAP_SUCCESS)
23332333
{
2334-
ldap_unbind(*ldap);
23352334
ereport(LOG,
23362335
(errmsg("could not set LDAP protocol version: %s", ldap_err2string(r))));
2336+
ldap_unbind(*ldap);
23372337
return STATUS_ERROR;
23382338
}
23392339

@@ -2360,18 +2360,18 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
23602360
* should never happen since we import other files from
23612361
* wldap32, but check anyway
23622362
*/
2363-
ldap_unbind(*ldap);
23642363
ereport(LOG,
23652364
(errmsg("could not load wldap32.dll")));
2365+
ldap_unbind(*ldap);
23662366
return STATUS_ERROR;
23672367
}
23682368
_ldap_start_tls_sA = (__ldap_start_tls_sA) GetProcAddress(ldaphandle, "ldap_start_tls_sA");
23692369
if (_ldap_start_tls_sA == NULL)
23702370
{
2371-
ldap_unbind(*ldap);
23722371
ereport(LOG,
23732372
(errmsg("could not load function _ldap_start_tls_sA in wldap32.dll"),
23742373
errdetail("LDAP over SSL is not supported on this platform.")));
2374+
ldap_unbind(*ldap);
23752375
return STATUS_ERROR;
23762376
}
23772377

@@ -2384,9 +2384,9 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
23842384
if ((r = _ldap_start_tls_sA(*ldap, NULL, NULL, NULL, NULL)) != LDAP_SUCCESS)
23852385
#endif
23862386
{
2387-
ldap_unbind(*ldap);
23882387
ereport(LOG,
23892388
(errmsg("could not start LDAP TLS session: %s", ldap_err2string(r))));
2389+
ldap_unbind(*ldap);
23902390
return STATUS_ERROR;
23912391
}
23922392
}
@@ -2491,6 +2491,7 @@ CheckLDAPAuth(Port *port)
24912491
{
24922492
ereport(LOG,
24932493
(errmsg("invalid character in user name for LDAP authentication")));
2494+
ldap_unbind(ldap);
24942495
pfree(passwd);
24952496
return STATUS_ERROR;
24962497
}
@@ -2508,6 +2509,7 @@ CheckLDAPAuth(Port *port)
25082509
ereport(LOG,
25092510
(errmsg("could not perform initial LDAP bind for ldapbinddn \"%s\" on server \"%s\": %s",
25102511
port->hba->ldapbinddn, port->hba->ldapserver, ldap_err2string(r))));
2512+
ldap_unbind(ldap);
25112513
pfree(passwd);
25122514
return STATUS_ERROR;
25132515
}
@@ -2533,6 +2535,7 @@ CheckLDAPAuth(Port *port)
25332535
ereport(LOG,
25342536
(errmsg("could not search LDAP for filter \"%s\" on server \"%s\": %s",
25352537
filter, port->hba->ldapserver, ldap_err2string(r))));
2538+
ldap_unbind(ldap);
25362539
pfree(passwd);
25372540
pfree(filter);
25382541
return STATUS_ERROR;
@@ -2554,6 +2557,7 @@ CheckLDAPAuth(Port *port)
25542557
count,
25552558
filter, port->hba->ldapserver, count)));
25562559

2560+
ldap_unbind(ldap);
25572561
pfree(passwd);
25582562
pfree(filter);
25592563
ldap_msgfree(search_message);
@@ -2570,6 +2574,7 @@ CheckLDAPAuth(Port *port)
25702574
ereport(LOG,
25712575
(errmsg("could not get dn for the first entry matching \"%s\" on server \"%s\": %s",
25722576
filter, port->hba->ldapserver, ldap_err2string(error))));
2577+
ldap_unbind(ldap);
25732578
pfree(passwd);
25742579
pfree(filter);
25752580
ldap_msgfree(search_message);
@@ -2585,12 +2590,9 @@ CheckLDAPAuth(Port *port)
25852590
r = ldap_unbind_s(ldap);
25862591
if (r != LDAP_SUCCESS)
25872592
{
2588-
int error;
2589-
2590-
(void) ldap_get_option(ldap, LDAP_OPT_ERROR_NUMBER, &error);
25912593
ereport(LOG,
2592-
(errmsg("could not unbind after searching for user \"%s\" on server \"%s\": %s",
2593-
fulluser, port->hba->ldapserver, ldap_err2string(error))));
2594+
(errmsg("could not unbind after searching for user \"%s\" on server \"%s\"",
2595+
fulluser, port->hba->ldapserver)));
25942596
pfree(passwd);
25952597
pfree(fulluser);
25962598
return STATUS_ERROR;

0 commit comments

Comments
 (0)