Re: Have problem searching against ldap server after asyn sasl bind

To: Michael Ströder <michael@stroeder.com>

Subject: Re: Have problem searching against ldap server after asyn sasl bind

From: Qian Li <neuliqian@gmail.com>

Date: Thu, 27 Nov 2014 11:33:50 +0800

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rCqWFuOXN0PZSIAPVvqmg2V6aRfK2/QKUHG6FtKmgkE=; b=Vz2O9pMbF4tywRCrGuCu698fXVx0LYoYkxdfX6qqGCmvHbD+NL59S1yVwtDyehhr4e ZMigOe0Uc5UvQ7F3x+IFi5fmCT6o3hkMVIxmnfvSZd9OQYPgLLQE1pwoaFNNvBh8kU9O gEJ2i8qEy1Pg7g8/1CaAsFfHBTDjj0OgiSuIEsIVnAxYdmarrP/MMEkB6gw/mq/xatVy uUZ3oVEev0DXPZOpP31X2kJXUL3KcVZ0PRgi/QbSzdWAM46yP+zeNdpL5j+QDDCJxOqJ aCMOAACpwi2e5AumgCorS0NypfcTOeXo5T3b8fO914AoNoDfggB3cl+zcL5d9J2yrspe S3xA==

In-reply-to: <54763D5F.1050108@stroeder.com>

References: <CADxGnr4HO59ExG4-12q=6yZVY5gP3Wax0Uf=XdNGX9Q9PZXjeg@mail.gmail.com> <54759DBC.8030701@stroeder.com> <CADxGnr44gt86ZKnZCRLSD3yyXwuQx-JXab4dNJCt7Cxy5JfNSA@mail.gmail.com> <54763D5F.1050108@stroeder.com>

On Thu, Nov 27, 2014 at 4:51 AM, Michael Ströder <michael@stroeder.com> wrote:

Qian Li wrote:
> On Wed, Nov 26, 2014 at 5:30 PM, Michael Ströder <michael@stroeder.com>
> wrote:
>
>> Qian Li wrote:
>>> Recently, I tried to write a ldap client to do ldap search
>> asynchronously,
>>> but failed to perform search operation after a successful async sasl
>>> (digest-md5) bind.
>>
>> What's your use-case for having async bind operation?
>>
>> Note that the bind operation is somewhat special because it establishs a
>> security context/association.
>
> The ldap client is a daemon which accepts arbitrary request
> from outside

What kind of requests?

There are IPCs from other processes and the ldap client is only single thread.

> and periodically retrieves all users/groups from ldap server.

A simple search? Security requirements regarding passwords?

Security requirements only regarding bound identity's password. If simple bind is used, the identity's password will be plain text in the search request.

> For sync bind, the client needs to wait for bind to complete, which could
> make outside request not be responded for a time .
> It would be better to support async bind in the client.

That does not make sense.

Again:
The bind operation is somewhat special because it establishs a security
context/association. Note that the following LDAP requests are authorized
based on the bound identity.

I don't know what's your exact use-case. But if you're cautious about
performance you should open a connection pool of persistent connections and
always bind *once* during connection lifetime.

Yes, persistent connections pool is another solution.
The search operation works in both async simple bind and sync SASL/DIGEST-MD5 bind, but doesn't work in async SASL/DIGEST-MD5 bind. This confuses me...