Re: Dual bind, single unbind?

[Bjørn Ruberg <bjorn@ruberg.no>]

Hallvard B Furuseth wrote:
> Bjørn Ruberg writes:
> > slapd[28594]: op=0 BIND dn="cn=adm,dc=acme,dc=com" method=128
> > slapd[28594]: op=0 BIND dn="cn=adm,dc=acme,dc=com" mech=SIMPLE ssf=0
>
> This is one Bind operation.  Note that both have the same operation
> number.  I suppose it's logged on two lines because there is too much
> info for one line.

This makes sense for logging purposes. However, it shouldn't count as 
two in the slapd-monitor backend. I am not sure that it does either, but 
these log entries are the best clues I have right now :)

> I believe the first DN is the authentication identity - the DN you bound
> with and gave a password for, and the second is the resulting
> authorization identity - the one which gets access via "access"
> statements etc.  Sometimes these can be different, when the server is
> configured that way - e.g. with SASL binds.

OK, can this be reviewed somehow? Different log level, perhaps?

(The slapd I'm testing this against has just plain old simple auth, by 
the way.)

> > slapd[28594]: op=2 UNBIND
>
> Note that Unbind is not the opposite of Bind, it really means "quit and
> terminate the session".  The name is of historical origin, it made more
> sense in LDAPv2 than in v3.

But it should normally be one unbind for each bind, right? As long as 
the client behaves, that is.

> Each Bind - even a failed Bind request - cancel any previous Bind.

...as the same DN I presume.

Thanks for your help so far.

--
Bjørn