[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7464) ldap_back_dobind_int breaking binded user
--20cf307d04d2686d3904d0343c02
Content-Type: text/plain; charset=ISO-8859-1
Here is a quick python script that can be used to query a LDAP proxy.
Running it while the proxy is configured with conn-ttl = 5 will trigget the
error after 5 seconds:
import ldap, sys, pprint, time
ldap_server = "localhost"
dn="cn=ldapintbind,o=corp"
pw="your password here"
con = ldap.initialize('ldap://' + ldap_server)
try:
#l.start_tls_s()
con.simple_bind_s(dn, pw)
con.set_option(ldap.OPT_DEREF,3)
scope = ldap.SCOPE_SUBTREE
base = "o=corp"
filter ="(&(objectClass=*)(uid=dln))"
retrieve_attributes = ["uid"]
result_data = []
result_set = []
timeout = 0
essai=0
while 1:
print(str(essai) + ".")
essai+=1
result_id = con.search_s(base, scope, filter, retrieve_attributes)
#pprint.pprint(result_id)
time.sleep(1)
except ldap.LDAPError, e:
print e.message['info']
if type(e.message) == dict and e.message.has_key('desc'):
print e.message['desc']
else:
print e
sys.exit()
2012/12/6 Sebastien Thomas <prune@lecentre.net>
> Actualy I had this before and that did not change anything. I don't think
> this directive is used for this kind of "timeouts"...
>
> I also tried :
>
> *chase-referrals yes (this is default)*
> *rebind-as-user yes (as suggested here)**
> *
> *single-conn yes (default to NO)**
> *
> *
> *
> I also tried some combinings of idassert-bind options with no luck (as
> the backend does not support identity assertion).
>
>
> 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>
>
>>
>> > --20cf307811d0d379c404d032d6ee
>> > Content-Type: text/plain; charset=ISO-8859-1
>> >
>> > Config is basic (with special timeout tests commented out) :
>> >
>> > database ldap
>> > suffix "o=corp"
>> > uri ldaps://10.100.120.153
>> >
>> > # close connection after a timeout
>> > #idletimeout 100
>> > # causes a cached connection to be dropped an recreated after a given
>> ttl
>> > #conn-ttl 4294967294
>> > # close connection after a timeout for ldap backend
>> > #idle-timeout 4294967294
>> > # Discards current cached connection when the client rebinds - default
>> to
>> > No
>> > #single-conn no
>>
>>
>> Try adding a "rebind-as-user" here. This forces back-ldap to store
>> client's credentials in order to rebind when needed (e.g. because a
>> persistent connection timed out).
>>
>> p.
>>
>> > overlay rwm
>> > rwm-suffixmassage "o=corp" "o=int"
>> >
>> >
>> > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it>
>> >
>> >>
>> >> > Full_Name: Sebastien Prune THOMAS
>> >> > Version: slapd 2.4.31
>> >> > OS: Linux CentOS
>> >> > URL: ftp://ftp.openldap.org/incoming/
>> >> > Submission from: (NULL) (206.167.157.64)
>> >> >
>> >> >
>> >> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory
>> >> LDAP
>> >> > server.
>> >> > Every once and a while I have long lasting connections re-binding as
>> >> > anonymous,
>> >> > breaking the actual bind.
>> >> > This usualy happen after hitting either the idle-timeout or the
>> >> conn-ttl
>> >> > limit.
>> >> > I wasn't able to find out what these values are when not set... but
>> >> > setting them
>> >> > low can help reproduce the problem :
>> >>
>> >> What is the configuration of back-ldap? Can you post it (after
>> >> sanitizing
>> >> sensitive info)?
>> >>
>> >> p.
>> >>
>> >> --
>> >> Pierangelo Masarati
>> >> Associate Professor
>> >> Dipartimento di Ingegneria Aerospaziale
>> >> Politecnico di Milano
>> >>
>> >>
>> >
>> > --20cf307811d0d379c404d032d6ee
>> > Content-Type: text/html; charset=ISO-8859-1
>> > Content-Transfer-Encoding: quoted-printable
>> >
>> > <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with
>> > spec=
>> > ial timeout tests commented out) :</div><div
>> > style=3D"font-family:Tahoma;fo=
>> > nt-size:13px">=A0</div><div
>> > style=3D"font-family:Tahoma;font-size:13px">dat=
>> > abase =A0 =A0 =A0ldap<br>
>> > suffix =A0 =A0 =A0 =A0 =A0
>> > =A0"o=3Dcorp"<br>uri=A0=A0=A0=A0=A0=A0=
>> > =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div
>> > style=
>> > =3D"font-family:Tahoma;font-size:13px">=A0</div><div
>> > style=3D"font-family:T=
>> > ahoma;font-size:13px"># close connection after a timeout<br>
>> > #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be
>> dropped
>> > =
>> > an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0
>> > 4294967294=
>> > <br># close connection after a timeout for ldap
>> > backend<br>#idle-timeout=A0=
>> > =A0=A0 4294967294<br># Discards current cached connection when the
>> client
>> > r=
>> > ebinds - default to No<br>
>> > #single-conn=A0=A0=A0=A0 no</div><div
>> > style=3D"font-family:Tahoma;font-size=
>> > :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage
>> > "o=
>> > =3Dcorp" "o=3Dint"</div><div
>> > class=3D"gmail_extra"><br><br><=
>> > div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span
>> > dir=3D"ltr">&=
>> > lt;<a href=3D"mailto:masarati@aero.polimi.it"
>> > target=3D"_blank">masarati@ae=
>> > ro.polimi.it</a>></span><br>
>> > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>> > .8ex;border-left:1p=
>> > x #ccc solid;padding-left:1ex"><br>
>> > > Full_Name: Sebastien Prune THOMAS<br>
>> > > Version: slapd 2.4.31<br>
>> > > OS: Linux CentOS<br>
>> > > URL: <a href=3D"ftp://ftp.openldap.org/incoming/"
>> > target=3D"_blank">ft=
>> > p://ftp.openldap.org/incoming/</a><br>
>> > > Submission from: (NULL) (206.167.157.64)<br>
>> > ><br>
>> > ><br>
>> > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory
>> > LD=
>> > AP<br>
>> > > server.<br>
>> > > Every once and a while I have long lasting connections re-binding
>> > as<b=
>> > r>
>> > > anonymous,<br>
>> > > breaking the actual bind.<br>
>> > > This usualy happen after hitting either the idle-timeout or the
>> > conn-t=
>> > tl<br>
>> > > limit.<br>
>> > > I wasn't able to find out what these values are when not set...
>> > bu=
>> > t<br>
>> > > setting them<br>
>> > > low can help reproduce the problem :<br>
>> > <br>
>> > What is the configuration of back-ldap? =A0Can you post it (after
>> > sanitizin=
>> > g<br>
>> > sensitive info)?<br>
>> > <span class=3D"HOEnZb"><font color=3D"#888888"><br>
>> > p.<br>
>> > <br>
>> > --<br>
>> > Pierangelo Masarati<br>
>> > Associate Professor<br>
>> > Dipartimento di Ingegneria Aerospaziale<br>
>> > Politecnico di Milano<br>
>> > <br>
>> > </font></span></blockquote></div><br></div>
>> >
>> > --20cf307811d0d379c404d032d6ee--
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> Pierangelo Masarati
>> Associate Professor
>> Dipartimento di Ingegneria Aerospaziale
>> Politecnico di Milano
>>
>>
>
--20cf307d04d2686d3904d0343c02
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Here is a quick python script that can be used to query a LDAP proxy. Runni=
ng it while the proxy is configured with conn-ttl =3D 5 will trigget the er=
ror after 5 seconds:<div><br></div><div><br></div><div><br></div><div><div =
style=3D"font-family:Tahoma;font-size:13px">
import ldap, sys, pprint, time</div><div style=3D"font-family:Tahoma;font-s=
ize:13px">=A0</div><div style=3D"font-family:Tahoma;font-size:13px">ldap_se=
rver =3D "localhost"<br>dn=3D"cn=3Dldapintbind,o=3Dcorp"=
;<br>pw=3D"your password here"</div>
<div style=3D"font-family:Tahoma;font-size:13px">=A0</div><div style=3D"fon=
t-family:Tahoma;font-size:13px">con =3D ldap.initialize('ldap://' +=
ldap_server)<br>try:<br>=A0=A0=A0 #l.start_tls_s()<br>=A0=A0=A0 con.simple=
_bind_s(dn, pw)<br>
=A0=A0=A0 con.set_option(ldap.OPT_DEREF,3)<br>=A0 =A0=A0</div><div style=3D=
"font-family:Tahoma;font-size:13px">=A0=A0=A0 scope =3D ldap.SCOPE_SUBTREE<=
br>=A0=A0=A0 base =3D "o=3Dcorp"<br>=A0=A0=A0 filter =3D"(&a=
mp;(objectClass=3D*)(uid=3Ddln))"<br>
=A0=A0=A0 retrieve_attributes =3D ["uid"]<br>=A0=A0=A0 result_dat=
a =3D []<br>=A0=A0=A0 result_set =3D []<br>=A0=A0=A0 timeout =3D 0</div><di=
v style=3D"font-family:Tahoma;font-size:13px">=A0</div><div style=3D"font-f=
amily:Tahoma;font-size:13px">=A0=A0=A0 essai=3D0<br>
=A0=A0=A0 while 1:<br>=A0=A0=A0=A0=A0=A0=A0 print(str(essai) + "."=
;)<br>=A0=A0=A0=A0=A0=A0=A0 essai+=3D1</div><div style=3D"font-family:Tahom=
a;font-size:13px">=A0</div><div style=3D"font-family:Tahoma;font-size:13px"=
>=A0=A0=A0=A0=A0=A0=A0 result_id =3D con.search_s(base, scope, filter, retr=
ieve_attributes)<br>
=A0=A0=A0=A0=A0=A0=A0 #pprint.pprint(result_id)</div><div style=3D"font-fam=
ily:Tahoma;font-size:13px">=A0</div><div style=3D"font-family:Tahoma;font-s=
ize:13px">=A0 =A0 =A0 =A0 time.sleep(1)<br></div><div style=3D"font-family:=
Tahoma;font-size:13px">=A0</div>
<div style=3D"font-family:Tahoma;font-size:13px"><br>except ldap.LDAPError,=
e:<br>=A0=A0=A0 print e.message['info']<br>=A0=A0=A0 if type(e.mes=
sage) =3D=3D dict and e.message.has_key('desc'):<br>=A0=A0=A0=A0=A0=
=A0=A0 print e.message['desc']<br>
=A0=A0=A0 else:<br>=A0=A0=A0=A0=A0=A0=A0 print e<br>=A0=A0=A0 sys.exit()</d=
iv></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2012=
/12/6 Sebastien Thomas <span dir=3D"ltr"><<a href=3D"mailto:prune@lecent=
re.net" target=3D"_blank">prune@lecentre.net</a>></span><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><span style=3D"font-family:arial,sans-serif;=
font-size:13px">Actualy I had this before and that did not change anything.=
I don't think this directive is used for this kind of "timeouts&q=
uot;...</span><br>
<div><span style=3D"font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div><span style=3D"font-family:arial,sans-serif;font-size:13p=
x">I also tried :</span></div><div><span style=3D"font-family:arial,sans-se=
rif;font-size:13px"><br></span></div><div><b style=3D"font-size:13px;font-f=
amily:arial,sans-serif">chase-referrals yes (this is default)</b><span styl=
e=3D"font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div><b style=3D"font-size:13px;font-family:arial,sans-serif">=
rebind-as-user yes (as suggested here)</b><b style=3D"font-size:13px;font-f=
amily:arial,sans-serif"><br></b></div><div>
<b style=3D"font-size:13px;font-family:arial,sans-serif">single-conn yes (d=
efault to NO)</b><b style=3D"font-size:13px;font-family:arial,sans-serif"><=
br></b></div><div><b style=3D"font-size:13px;font-family:arial,sans-serif">=
<br>
</b></div><div><span style=3D"font-size:13px;font-family:arial,sans-serif">=
I also tried some combinings of=A0</span><span style=3D"font-size:13px;font=
-family:arial,sans-serif">idassert-bind options with no luck (as the backen=
d does not support identity assertion).</span></div>
<div class=3D"HOEnZb"><div class=3D"h5">
<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2012/12/6 Pie=
rangelo Masarati <span dir=3D"ltr"><<a href=3D"mailto:masarati@aero.poli=
mi.it" target=3D"_blank">masarati@aero.polimi.it</a>></span><br><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc s=
olid;padding-left:1ex">
<br>
> --20cf307811d0d379c404d032d6ee<br>
> Content-Type: text/plain; charset=3DISO-8859-1<br>
<div>><br>
> Config is basic (with special timeout tests commented out) :<br>
><br>
> database =A0 =A0 =A0ldap<br>
> suffix =A0 =A0 =A0 =A0 =A0 =A0"o=3Dcorp"<br>
> uri =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ldaps://<a href=3D"http://10.100.1=
20.153" target=3D"_blank">10.100.120.153</a><br>
><br>
> # close connection after a timeout<br>
> #idletimeout =A0 =A0 100<br>
> # causes a cached connection to be dropped an recreated after a given =
ttl<br>
> #conn-ttl =A0 =A0 =A0 =A04294967294<br>
> # close connection after a timeout for ldap backend<br>
> #idle-timeout =A0 =A04294967294<br>
> # Discards current cached connection when the client rebinds - default=
to<br>
> No<br>
> #single-conn =A0 =A0 no<br>
<br>
<br>
</div>Try adding a "rebind-as-user" here. =A0This forces back-lda=
p to store<br>
client's credentials in order to rebind when needed (e.g. because a<br>
persistent connection timed out).<br>
<br>
p.<br>
<div><div><br>
> overlay =A0 =A0 =A0 =A0 rwm<br>
> rwm-suffixmassage "o=3Dcorp" "o=3Dint"<br>
><br>
><br>
> 2012/12/6 Pierangelo Masarati <<a href=3D"mailto:masarati@aero.poli=
mi.it" target=3D"_blank">masarati@aero.polimi.it</a>><br>
><br>
>><br>
>> > Full_Name: Sebastien Prune THOMAS<br>
>> > Version: slapd 2.4.31<br>
>> > OS: Linux CentOS<br>
>> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_=
blank">ftp://ftp.openldap.org/incoming/</a><br>
>> > Submission from: (NULL) (206.167.157.64)<br>
>> ><br>
>> ><br>
>> > I use OpenLdap to proxy (with the module back-ldap) to a eDir=
ectory<br>
>> LDAP<br>
>> > server.<br>
>> > Every once and a while I have long lasting connections re-bin=
ding as<br>
>> > anonymous,<br>
>> > breaking the actual bind.<br>
>> > This usualy happen after hitting either the idle-timeout or t=
he<br>
>> conn-ttl<br>
>> > limit.<br>
>> > I wasn't able to find out what these values are when not =
set... but<br>
>> > setting them<br>
>> > low can help reproduce the problem :<br>
>><br>
>> What is the configuration of back-ldap? =A0Can you post it (after<=
br>
>> sanitizing<br>
>> sensitive info)?<br>
>><br>
>> p.<br>
>><br>
>> --<br>
>> Pierangelo Masarati<br>
>> Associate Professor<br>
>> Dipartimento di Ingegneria Aerospaziale<br>
>> Politecnico di Milano<br>
>><br>
>><br>
><br>
</div></div>> --20cf307811d0d379c404d032d6ee<br>
> Content-Type: text/html; charset=3DISO-8859-1<br>
> Content-Transfer-Encoding: quoted-printable<br>
><br>
> <div style=3D3D"font-family:Tahoma;font-size:13px">Con=
fig is basic (with<br>
> spec=3D<br>
> ial timeout tests commented out) :</div><div<br>
> style=3D3D"font-family:Tahoma;fo=3D<br>
> nt-size:13px">=3DA0</div><div<br>
> style=3D3D"font-family:Tahoma;font-size:13px">dat=3D<br>
> abase =3DA0 =3DA0 =3DA0ldap<br><br>
> suffix =3DA0 =3DA0 =3DA0 =3DA0 =3DA0<br>
> =3DA0&quot;o=3D3Dcorp&quot;<br>uri=3DA0=3DA0=3DA0=3DA0=
=3DA0=3DA0=3D<br>
> =3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0 =3DA0 =3DA0<a>ldaps://<a hre=
f=3D"http://10.100.120.153" target=3D"_blank">10.100.120.153</a></a>&=
lt;/div><div<br>
> style=3D<br>
> =3D3D"font-family:Tahoma;font-size:13px">=3DA0</div>=
;<div<br>
> style=3D3D"font-family:T=3D<br>
> ahoma;font-size:13px"># close connection after a timeout<br=
><br>
> #idletimeout=3DA0=3DA0=3DA0=3DA0 100<br># causes a cached connec=
tion to be dropped<br>
> =3D<br>
> an recreated after a given ttl<br>#conn-ttl=3DA0=3DA0=3DA0=3DA0=
=3DA0=3DA0=3DA0<br>
> 4294967294=3D<br>
> <br># close connection after a timeout for ldap<br>
> backend<br>#idle-timeout=3DA0=3D<br>
> =3DA0=3DA0 4294967294<br># Discards current cached connection wh=
en the client<br>
> r=3D<br>
> ebinds - default to No<br><br>
> #single-conn=3DA0=3DA0=3DA0=3DA0 no</div><div<br>
> style=3D3D"font-family:Tahoma;font-size=3D<br>
> :13px"><br>overlay=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3D=
A0 rwm<br>rwm-suffixmassage<br>
> &quot;o=3D<br>
> =3D3Dcorp&quot; &quot;o=3D3Dint&quot;</div><div<b=
r>
> class=3D3D"gmail_extra"><br><br><=3D<br>
> div class=3D3D"gmail_quote">2012/12/6 Pierangelo Masarati=
<span<br>
> dir=3D3D"ltr">&=3D<br>
> lt;<a href=3D3D"mailto:<a href=3D"mailto:masarati@aero.polimi.=
it" target=3D"_blank">masarati@aero.polimi.it</a>"<br>
> target=3D3D"_blank">masarati@ae=3D<br>
> <a href=3D"http://ro.polimi.it" target=3D"_blank">ro.polimi.it</a><=
/a>&gt;</span><br><br>
> <blockquote class=3D3D"gmail_quote" style=3D3D"margi=
n:0 0 0<br>
> .8ex;border-left:1p=3D<br>
> x #ccc solid;padding-left:1ex"><br><br>
> &gt; Full_Name: Sebastien Prune THOMAS<br><br>
> &gt; Version: slapd 2.4.31<br><br>
> &gt; OS: Linux CentOS<br><br>
> &gt; URL: <a href=3D3D"<a href=3D"ftp://ftp.openldap.org/i=
ncoming/" target=3D"_blank">ftp://ftp.openldap.org/incoming/</a>"<br>
> target=3D3D"_blank">ft=3D<br>
> p://<a href=3D"http://ftp.openldap.org/incoming/" target=3D"_blank">ft=
p.openldap.org/incoming/</a></a><br><br>
> &gt; Submission from: (NULL) (206.167.157.64)<br><br>
> &gt;<br><br>
> &gt;<br><br>
> &gt; I use OpenLdap to proxy (with the module back-ldap) to a eDir=
ectory<br>
> LD=3D<br>
> AP<br><br>
> &gt; server.<br><br>
> &gt; Every once and a while I have long lasting connections re-bin=
ding<br>
> as<b=3D<br>
> r><br>
> &gt; anonymous,<br><br>
> &gt; breaking the actual bind.<br><br>
> &gt; This usualy happen after hitting either the idle-timeout or t=
he<br>
> conn-t=3D<br>
> tl<br><br>
> &gt; limit.<br><br>
> &gt; I wasn&#39;t able to find out what these values are when =
not set...<br>
> bu=3D<br>
> t<br><br>
> &gt; setting them<br><br>
> &gt; low can help reproduce the problem :<br><br>
> <br><br>
> What is the configuration of back-ldap? =3DA0Can you post it (after<br=
>
> sanitizin=3D<br>
> g<br><br>
> sensitive info)?<br><br>
> <span class=3D3D"HOEnZb"><font color=3D3D"#888=
888"><br><br>
> p.<br><br>
> <br><br>
> --<br><br>
> Pierangelo Masarati<br><br>
> Associate Professor<br><br>
> Dipartimento di Ingegneria Aerospaziale<br><br>
> Politecnico di Milano<br><br>
> <br><br>
> </font></span></blockquote></div><br><=
;/div><br>
><br>
> --20cf307811d0d379c404d032d6ee--<br>
<div><div>><br>
><br>
><br>
><br>
><br>
<br>
<br>
--<br>
Pierangelo Masarati<br>
Associate Professor<br>
Dipartimento di Ingegneria Aerospaziale<br>
Politecnico di Milano<br>
<br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
--20cf307d04d2686d3904d0343c02--