commit 2cbc303c14bf17a2a435fef6596549a472fd2af7 Author: Florian Best Date: Wed Oct 28 16:31:02 2020 +0100 Bug #52278: fix performance leak The request which only displays a login form did 2 LDAP binds, while none are necessary. curl "https://ucs-sso.$(hostname -d)/simplesamlphp/saml2/idp/SSOService.php?SAMLRequest=$SAML_REQUEST&RelayState=$RELAY_STATE" Only initialize LDAP instance on the first use diff --git saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php index 1becc44f4a..2a3c2835e2 100644 --- saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php +++ saml/univention-saml/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php @@ -16,7 +16,7 @@ class sspmod_uldap_Auth_Source_uLDAP extends sspmod_core_Auth_UserPassBase { * A LDAP configuration object. */ private $ldapConfig; - private $ldap; + private static $_ldap = NULL; private $config; @@ -35,11 +35,16 @@ class sspmod_uldap_Auth_Source_uLDAP extends sspmod_core_Auth_UserPassBase { $this->ldapConfig = new sspmod_ldap_ConfigHelper($config, 'Authentication source ' . var_export($this->authId, TRUE)); - $this->ldap = new SimpleSAML_Auth_LDAP($config['hostname'], $config['enable_tls'], $config['debug'], $config['timeout']); - $this->ldap->bind($config['search.username'], $config['search.password']); $this->config = $config; } + private function ldap() { + if (self::$_ldap === NULL) { + self::$_ldap = new SimpleSAML_Auth_LDAP($config['hostname'], $config['enable_tls'], $config['debug'], $config['timeout']); + self::$_ldap->bind($config['search.username'], $config['search.password']); + } + return self::$_ldap; + } /** * Attempt to log in using the given username and password. @@ -71,8 +76,8 @@ class sspmod_uldap_Auth_Source_uLDAP extends sspmod_core_Auth_UserPassBase { $expired_messages = array("password expired", "The password has expired.", "account expired"); if (in_array($this->ldapConfig->extended_error, $expired_messages)) { SimpleSAML\Logger::debug('password is expired, checking for password change'); - $user_dn = $this->ldap->searchfordn($this->config['search.base'], $this->config['search.attributes'], $username, TRUE); - $attributes = $this->ldap->getAttributes($user_dn); + $user_dn = $this->ldap()->searchfordn($this->config['search.base'], $this->config['search.attributes'], $username, TRUE); + $attributes = $this->ldap()->getAttributes($user_dn); $this->throw_common_login_errors($attributes); } }