Merge pull request #1369 from garberg/close_ldap_conn

nipapd: Close LDAP connection after authentication
SpriteLink · May 20, 2024 · 8b2dc2d · 8b2dc2d
2 parents 6b8eb5d + d014b1d
commit 8b2dc2d
Showing 1 changed file with 16 additions and 10 deletions.
diff --git a/nipap/nipap/authlib.py b/nipap/nipap/authlib.py
@@ -495,16 +495,6 @@ def __init__(self, name, username, password, authoritative_source, auth_options=
             self._ldap_search_password = self._cfg.get(base_auth_backend, 'search_password')
             self._ldap_search_conn = ldap.initialize(self._ldap_uri)
 
-        if self._ldap_tls:
-            try:
-                self._ldap_conn.start_tls_s()
-                if self._ldap_search_conn is not None:
-                    self._ldap_search_conn.start_tls_s()
-            except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN) as exc:
-                self._logger.error('Attempted to start TLS with ldap server but failed.')
-                self._logger.exception(exc)
-                raise AuthError('Unable to establish secure connection to ldap server')
-
     @create_span_authenticate
     def authenticate(self):
         """ Verify authentication.
@@ -517,6 +507,17 @@ def authenticate(self):
         if self._authenticated is not None:
             return self._authenticated
 
+        # Start TLS session, if needed
+        if self._ldap_tls:
+            try:
+                self._ldap_conn.start_tls_s()
+                if self._ldap_search_conn is not None:
+                    self._ldap_search_conn.start_tls_s()
+            except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN) as exc:
+                self._logger.error('Attempted to start TLS with ldap server but failed.')
+                self._logger.exception(exc)
+                raise AuthError('Unable to establish secure connection to ldap server')
+
         try:
             self._ldap_conn.simple_bind_s(self._ldap_binddn_fmt.format(ldap.dn.escape_dn_chars(self.username)),
                                           self.password)
@@ -585,6 +586,11 @@ def authenticate(self):
             if self._ldap_rw_group or self._ldap_ro_group:
                 self._authenticated = False
                 return self._authenticated
+        finally:
+            # Unbind from LDAP server
+            self._ldap_conn.unbind_s()
+            if self._ldap_search_conn is not None:
+                self._ldap_search_conn.unbind_s()
 
         self._authenticated = True