[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7464) ldap_back_dobind_int breaking binded user
--20cf307811d0eb756704d0342092
Content-Type: text/plain; charset=ISO-8859-1
Actualy I had this before and that did not change anything. I don't think
this directive is used for this kind of "timeouts"...
I also tried :
*chase-referrals yes (this is default)*
*rebind-as-user yes (as suggested here)**
*
*single-conn yes (default to NO)**
*
*
*
I also tried some combinings of idassert-bind options with no luck (as the
backend does not support identity assertion).
2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>
>
> > --20cf307811d0d379c404d032d6ee
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Config is basic (with special timeout tests commented out) :
> >
> > database ldap
> > suffix "o=corp"
> > uri ldaps://10.100.120.153
> >
> > # close connection after a timeout
> > #idletimeout 100
> > # causes a cached connection to be dropped an recreated after a given ttl
> > #conn-ttl 4294967294
> > # close connection after a timeout for ldap backend
> > #idle-timeout 4294967294
> > # Discards current cached connection when the client rebinds - default to
> > No
> > #single-conn no
>
>
> Try adding a "rebind-as-user" here. This forces back-ldap to store
> client's credentials in order to rebind when needed (e.g. because a
> persistent connection timed out).
>
> p.
>
> > overlay rwm
> > rwm-suffixmassage "o=corp" "o=int"
> >
> >
> > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>
> >
> >>
> >> > Full_Name: Sebastien Prune THOMAS
> >> > Version: slapd 2.4.31
> >> > OS: Linux CentOS
> >> > URL: ftp://ftp.openldap.org/incoming/
> >> > Submission from: (NULL) (206.167.157.64)
> >> >
> >> >
> >> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory
> >> LDAP
> >> > server.
> >> > Every once and a while I have long lasting connections re-binding as
> >> > anonymous,
> >> > breaking the actual bind.
> >> > This usualy happen after hitting either the idle-timeout or the
> >> conn-ttl
> >> > limit.
> >> > I wasn't able to find out what these values are when not set... but
> >> > setting them
> >> > low can help reproduce the problem :
> >>
> >> What is the configuration of back-ldap? Can you post it (after
> >> sanitizing
> >> sensitive info)?
> >>
> >> p.
> >>
> >> --
> >> Pierangelo Masarati
> >> Associate Professor
> >> Dipartimento di Ingegneria Aerospaziale
> >> Politecnico di Milano
> >>
> >>
> >
> > --20cf307811d0d379c404d032d6ee
> > Content-Type: text/html; charset=ISO-8859-1
> > Content-Transfer-Encoding: quoted-printable
> >
> > <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with
> > spec=
> > ial timeout tests commented out) :</div><div
> > style=3D"font-family:Tahoma;fo=
> > nt-size:13px">=A0</div><div
> > style=3D"font-family:Tahoma;font-size:13px">dat=
> > abase =A0 =A0 =A0ldap<br>
> > suffix =A0 =A0 =A0 =A0 =A0
> > =A0"o=3Dcorp"<br>uri=A0=A0=A0=A0=A0=A0=
> > =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div
> > style=
> > =3D"font-family:Tahoma;font-size:13px">=A0</div><div
> > style=3D"font-family:T=
> > ahoma;font-size:13px"># close connection after a timeout<br>
> > #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be
> dropped
> > =
> > an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0
> > 4294967294=
> > <br># close connection after a timeout for ldap
> > backend<br>#idle-timeout=A0=
> > =A0=A0 4294967294<br># Discards current cached connection when the client
> > r=
> > ebinds - default to No<br>
> > #single-conn=A0=A0=A0=A0 no</div><div
> > style=3D"font-family:Tahoma;font-size=
> > :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage
> > "o=
> > =3Dcorp" "o=3Dint"</div><div
> > class=3D"gmail_extra"><br><br><=
> > div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span
> > dir=3D"ltr">&=
> > lt;<a href=3D"mailto:masarati@aero.polimi.it"
> > target=3D"_blank">masarati@ae=
> > ro.polimi.it</a>></span><br>
> > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
> > .8ex;border-left:1p=
> > x #ccc solid;padding-left:1ex"><br>
> > > Full_Name: Sebastien Prune THOMAS<br>
> > > Version: slapd 2.4.31<br>
> > > OS: Linux CentOS<br>
> > > URL: <a href=3D"ftp://ftp.openldap.org/incoming/"
> > target=3D"_blank">ft=
> > p://ftp.openldap.org/incoming/</a><br>
> > > Submission from: (NULL) (206.167.157.64)<br>
> > ><br>
> > ><br>
> > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory
> > LD=
> > AP<br>
> > > server.<br>
> > > Every once and a while I have long lasting connections re-binding
> > as<b=
> > r>
> > > anonymous,<br>
> > > breaking the actual bind.<br>
> > > This usualy happen after hitting either the idle-timeout or the
> > conn-t=
> > tl<br>
> > > limit.<br>
> > > I wasn't able to find out what these values are when not set...
> > bu=
> > t<br>
> > > setting them<br>
> > > low can help reproduce the problem :<br>
> > <br>
> > What is the configuration of back-ldap? =A0Can you post it (after
> > sanitizin=
> > g<br>
> > sensitive info)?<br>
> > <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> > p.<br>
> > <br>
> > --<br>
> > Pierangelo Masarati<br>
> > Associate Professor<br>
> > Dipartimento di Ingegneria Aerospaziale<br>
> > Politecnico di Milano<br>
> > <br>
> > </font></span></blockquote></div><br></div>
> >
> > --20cf307811d0d379c404d032d6ee--
> >
> >
> >
> >
> >
>
>
> --
> Pierangelo Masarati
> Associate Professor
> Dipartimento di Ingegneria Aerospaziale
> Politecnico di Milano
>
>
--20cf307811d0eb756704d0342092
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<span style=3D"font-family:arial,sans-serif;font-size:13px">Actualy I had t=
his before and that did not change anything. I don't think this directi=
ve is used for this kind of "timeouts"...</span><br><div><span st=
yle=3D"font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div><span style=3D"font-family:arial,sans-serif;font-size:13p=
x">I also tried :</span></div><div><span style=3D"font-family:arial,sans-se=
rif;font-size:13px"><br></span></div><div><b style=3D"color:rgb(0,0,0);font=
-family:arial,sans-serif;font-size:13px">chase-referrals yes (this is defau=
lt)</b><span style=3D"font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div><b style=3D"color:rgb(0,0,0);font-family:arial,sans-serif=
;font-size:13px">rebind-as-user yes (as suggested here)</b><b style=3D"colo=
r:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><br></b></div><di=
v>
<b style=3D"color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px">s=
ingle-conn yes (default to NO)</b><b style=3D"color:rgb(0,0,0);font-family:=
arial,sans-serif;font-size:13px"><br></b></div><div><b style=3D"color:rgb(0=
,0,0);font-family:arial,sans-serif;font-size:13px"><br>
</b></div><div><span style=3D"color:rgb(0,0,0);font-family:arial,sans-serif=
;font-size:13px">I also tried some combinings of=A0</span><span style=3D"co=
lor:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px">idassert-bind o=
ptions with no luck (as the backend does not support identity assertion).</=
span></div>
<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2012/12/6 Pie=
rangelo Masarati <span dir=3D"ltr"><<a href=3D"mailto:masarati@aero.poli=
mi.it" target=3D"_blank">masarati@aero.polimi.it</a>></span><br><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc s=
olid;padding-left:1ex">
<br>
> --20cf307811d0d379c404d032d6ee<br>
> Content-Type: text/plain; charset=3DISO-8859-1<br>
<div class=3D"im">><br>
> Config is basic (with special timeout tests commented out) :<br>
><br>
> database =A0 =A0 =A0ldap<br>
> suffix =A0 =A0 =A0 =A0 =A0 =A0"o=3Dcorp"<br>
> uri =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ldaps://<a href=3D"http://10.100.1=
20.153" target=3D"_blank">10.100.120.153</a><br>
><br>
> # close connection after a timeout<br>
> #idletimeout =A0 =A0 100<br>
> # causes a cached connection to be dropped an recreated after a given =
ttl<br>
> #conn-ttl =A0 =A0 =A0 =A04294967294<br>
> # close connection after a timeout for ldap backend<br>
> #idle-timeout =A0 =A04294967294<br>
> # Discards current cached connection when the client rebinds - default=
to<br>
> No<br>
> #single-conn =A0 =A0 no<br>
<br>
<br>
</div>Try adding a "rebind-as-user" here. =A0This forces back-lda=
p to store<br>
client's credentials in order to rebind when needed (e.g. because a<br>
persistent connection timed out).<br>
<br>
p.<br>
<div><div class=3D"h5"><br>
> overlay =A0 =A0 =A0 =A0 rwm<br>
> rwm-suffixmassage "o=3Dcorp" "o=3Dint"<br>
><br>
><br>
> 2012/12/6 Pierangelo Masarati <<a href=3D"mailto:masarati@aero.poli=
mi.it">masarati@aero.polimi.it</a>><br>
><br>
>><br>
>> > Full_Name: Sebastien Prune THOMAS<br>
>> > Version: slapd 2.4.31<br>
>> > OS: Linux CentOS<br>
>> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_=
blank">ftp://ftp.openldap.org/incoming/</a><br>
>> > Submission from: (NULL) (206.167.157.64)<br>
>> ><br>
>> ><br>
>> > I use OpenLdap to proxy (with the module back-ldap) to a eDir=
ectory<br>
>> LDAP<br>
>> > server.<br>
>> > Every once and a while I have long lasting connections re-bin=
ding as<br>
>> > anonymous,<br>
>> > breaking the actual bind.<br>
>> > This usualy happen after hitting either the idle-timeout or t=
he<br>
>> conn-ttl<br>
>> > limit.<br>
>> > I wasn't able to find out what these values are when not =
set... but<br>
>> > setting them<br>
>> > low can help reproduce the problem :<br>
>><br>
>> What is the configuration of back-ldap? =A0Can you post it (after<=
br>
>> sanitizing<br>
>> sensitive info)?<br>
>><br>
>> p.<br>
>><br>
>> --<br>
>> Pierangelo Masarati<br>
>> Associate Professor<br>
>> Dipartimento di Ingegneria Aerospaziale<br>
>> Politecnico di Milano<br>
>><br>
>><br>
><br>
</div></div>> --20cf307811d0d379c404d032d6ee<br>
> Content-Type: text/html; charset=3DISO-8859-1<br>
> Content-Transfer-Encoding: quoted-printable<br>
><br>
> <div style=3D3D"font-family:Tahoma;font-size:13px">Con=
fig is basic (with<br>
> spec=3D<br>
> ial timeout tests commented out) :</div><div<br>
> style=3D3D"font-family:Tahoma;fo=3D<br>
> nt-size:13px">=3DA0</div><div<br>
> style=3D3D"font-family:Tahoma;font-size:13px">dat=3D<br>
> abase =3DA0 =3DA0 =3DA0ldap<br><br>
> suffix =3DA0 =3DA0 =3DA0 =3DA0 =3DA0<br>
> =3DA0&quot;o=3D3Dcorp&quot;<br>uri=3DA0=3DA0=3DA0=3DA0=
=3DA0=3DA0=3D<br>
> =3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0 =3DA0 =3DA0<a>ldaps://<a hre=
f=3D"http://10.100.120.153" target=3D"_blank">10.100.120.153</a></a>&=
lt;/div><div<br>
> style=3D<br>
> =3D3D"font-family:Tahoma;font-size:13px">=3DA0</div>=
;<div<br>
> style=3D3D"font-family:T=3D<br>
> ahoma;font-size:13px"># close connection after a timeout<br=
><br>
> #idletimeout=3DA0=3DA0=3DA0=3DA0 100<br># causes a cached connec=
tion to be dropped<br>
> =3D<br>
> an recreated after a given ttl<br>#conn-ttl=3DA0=3DA0=3DA0=3DA0=
=3DA0=3DA0=3DA0<br>
> 4294967294=3D<br>
> <br># close connection after a timeout for ldap<br>
> backend<br>#idle-timeout=3DA0=3D<br>
> =3DA0=3DA0 4294967294<br># Discards current cached connection wh=
en the client<br>
> r=3D<br>
> ebinds - default to No<br><br>
> #single-conn=3DA0=3DA0=3DA0=3DA0 no</div><div<br>
> style=3D3D"font-family:Tahoma;font-size=3D<br>
> :13px"><br>overlay=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3D=
A0 rwm<br>rwm-suffixmassage<br>
> &quot;o=3D<br>
> =3D3Dcorp&quot; &quot;o=3D3Dint&quot;</div><div<b=
r>
> class=3D3D"gmail_extra"><br><br><=3D<br>
> div class=3D3D"gmail_quote">2012/12/6 Pierangelo Masarati=
<span<br>
> dir=3D3D"ltr">&=3D<br>
> lt;<a href=3D3D"mailto:<a href=3D"mailto:masarati@aero.polimi.=
it">masarati@aero.polimi.it</a>"<br>
> target=3D3D"_blank">masarati@ae=3D<br>
> <a href=3D"http://ro.polimi.it" target=3D"_blank">ro.polimi.it</a><=
/a>&gt;</span><br><br>
> <blockquote class=3D3D"gmail_quote" style=3D3D"margi=
n:0 0 0<br>
> .8ex;border-left:1p=3D<br>
> x #ccc solid;padding-left:1ex"><br><br>
> &gt; Full_Name: Sebastien Prune THOMAS<br><br>
> &gt; Version: slapd 2.4.31<br><br>
> &gt; OS: Linux CentOS<br><br>
> &gt; URL: <a href=3D3D"<a href=3D"ftp://ftp.openldap.org/i=
ncoming/" target=3D"_blank">ftp://ftp.openldap.org/incoming/</a>"<br>
> target=3D3D"_blank">ft=3D<br>
> p://<a href=3D"http://ftp.openldap.org/incoming/" target=3D"_blank">ft=
p.openldap.org/incoming/</a></a><br><br>
> &gt; Submission from: (NULL) (206.167.157.64)<br><br>
> &gt;<br><br>
> &gt;<br><br>
> &gt; I use OpenLdap to proxy (with the module back-ldap) to a eDir=
ectory<br>
> LD=3D<br>
> AP<br><br>
> &gt; server.<br><br>
> &gt; Every once and a while I have long lasting connections re-bin=
ding<br>
> as<b=3D<br>
> r><br>
> &gt; anonymous,<br><br>
> &gt; breaking the actual bind.<br><br>
> &gt; This usualy happen after hitting either the idle-timeout or t=
he<br>
> conn-t=3D<br>
> tl<br><br>
> &gt; limit.<br><br>
> &gt; I wasn&#39;t able to find out what these values are when =
not set...<br>
> bu=3D<br>
> t<br><br>
> &gt; setting them<br><br>
> &gt; low can help reproduce the problem :<br><br>
> <br><br>
> What is the configuration of back-ldap? =3DA0Can you post it (after<br=
>
> sanitizin=3D<br>
> g<br><br>
> sensitive info)?<br><br>
> <span class=3D3D"HOEnZb"><font color=3D3D"#888=
888"><br><br>
> p.<br><br>
> <br><br>
> --<br><br>
> Pierangelo Masarati<br><br>
> Associate Professor<br><br>
> Dipartimento di Ingegneria Aerospaziale<br><br>
> Politecnico di Milano<br><br>
> <br><br>
> </font></span></blockquote></div><br><=
;/div><br>
><br>
> --20cf307811d0d379c404d032d6ee--<br>
<div class=3D"HOEnZb"><div class=3D"h5">><br>
><br>
><br>
><br>
><br>
<br>
<br>
--<br>
Pierangelo Masarati<br>
Associate Professor<br>
Dipartimento di Ingegneria Aerospaziale<br>
Politecnico di Milano<br>
<br>
</div></div></blockquote></div><br></div>
--20cf307811d0eb756704d0342092--