From d014b1df4d61264eea0435352be36e628f8ab213 Mon Sep 17 00:00:00 2001
From: Lukas Garberg <lukas.garberg@tele2.com>
Date: Wed, 31 Jan 2024 12:40:26 +0100
Subject: [PATCH] nipapd: Close LDAP connection after authentication

The LDAP auth backend never explicitly closed the connection to the LDAP
server, when meant that it was kept open until the auth object timed out
from the auth cache which can take some time.

Now LDAP connections are closed once the authentication is done.
---
 nipap/nipap/authlib.py | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/nipap/nipap/authlib.py b/nipap/nipap/authlib.py
index 5bc9ace83..7cddf5870 100644
--- a/nipap/nipap/authlib.py
+++ b/nipap/nipap/authlib.py
@@ -495,16 +495,6 @@ def __init__(self, name, username, password, authoritative_source, auth_options=
             self._ldap_search_password = self._cfg.get(base_auth_backend, 'search_password')
             self._ldap_search_conn = ldap.initialize(self._ldap_uri)
 
-        if self._ldap_tls:
-            try:
-                self._ldap_conn.start_tls_s()
-                if self._ldap_search_conn is not None:
-                    self._ldap_search_conn.start_tls_s()
-            except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN) as exc:
-                self._logger.error('Attempted to start TLS with ldap server but failed.')
-                self._logger.exception(exc)
-                raise AuthError('Unable to establish secure connection to ldap server')
-
     @create_span_authenticate
     def authenticate(self):
         """ Verify authentication.
@@ -517,6 +507,17 @@ def authenticate(self):
         if self._authenticated is not None:
             return self._authenticated
 
+        # Start TLS session, if needed
+        if self._ldap_tls:
+            try:
+                self._ldap_conn.start_tls_s()
+                if self._ldap_search_conn is not None:
+                    self._ldap_search_conn.start_tls_s()
+            except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN) as exc:
+                self._logger.error('Attempted to start TLS with ldap server but failed.')
+                self._logger.exception(exc)
+                raise AuthError('Unable to establish secure connection to ldap server')
+
         try:
             self._ldap_conn.simple_bind_s(self._ldap_binddn_fmt.format(ldap.dn.escape_dn_chars(self.username)),
                                           self.password)
@@ -585,6 +586,11 @@ def authenticate(self):
             if self._ldap_rw_group or self._ldap_ro_group:
                 self._authenticated = False
                 return self._authenticated
+        finally:
+            # Unbind from LDAP server
+            self._ldap_conn.unbind_s()
+            if self._ldap_search_conn is not None:
+                self._ldap_search_conn.unbind_s()
 
         self._authenticated = True