Full_Name: Sebastien Prune THOMAS Version: slapd 2.4.31 OS: Linux CentOS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (206.167.157.64) I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LDAP server. Every once and a while I have long lasting connections re-binding as anonymous, breaking the actual bind. This usualy happen after hitting either the idle-timeout or the conn-ttl limit. I wasn't able to find out what these values are when not set... but setting them low can help reproduce the problem : Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 fd=39 ACCEPT from IP=10.100.64.68:33906 (IP=0.0.0.0:389) Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 BIND dn="cn=ldapintbind,o=corp" method=128 Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 BIND dn="cn=ldapintbind,o=shq" mech=SIMPLE ssf=0 Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 RESULT tag=97 err=0 text= Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SRCH base="o=corp" scope=2 deref=3 filter="(&(objectClass=*)(uid=pry))" Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SRCH attr=uid Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=2 CMP dn="cn=00-BASICAUTH,o=corp" attr="member" Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=2 RESULT tag=111 err=6 text= Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SRCH base="o=corp" scope=2 deref=3 filter="(&(objectClass=*)(uid=dln))" Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SRCH attr=uid Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 ldap_back_retry: retrying URI="ldaps://10.100.120.153" DN="cn=ldapintbindo=corp" Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 ldap_back_dobind_int: DN="cn=ldapintbind,o=corp" without creds, binding anonymously Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=4 CMP dn="cn=00-BASICAUTH,o=corp" attr="member" Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=4 RESULT tag=111 err=5 text= Dec 6 09:23:28 qxpldp01 slapd[40707]: conn=1095 fd=39 closed (slapd shutdown) There, the connection is opened on december the 5... then idle... then another search is done on december the 6... and leads to a re-bind... Either, I don't understand why : - openldap don't re-use the credential of the first bind OR - openldap simply end the TCP connection when the timeout is reached instead of re-using it like if it was a new connection --- > the client is not aware of that and still thinks the last bind is valid. I tried every option I could without success... For now, I set the conn-ttl and idle-timeout to the max an unsigned long could support : 4294967294 Any other solution apreciated...
> Full_Name: Sebastien Prune THOMAS > Version: slapd 2.4.31 > OS: Linux CentOS > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (206.167.157.64) > > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LDAP > server. > Every once and a while I have long lasting connections re-binding as > anonymous, > breaking the actual bind. > This usualy happen after hitting either the idle-timeout or the conn-ttl > limit. > I wasn't able to find out what these values are when not set... but > setting them > low can help reproduce the problem : What is the configuration of back-ldap? Can you post it (after sanitizing sensitive info)? p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Config is basic (with special timeout tests commented out) : database ldap suffix "o=corp" uri ldaps://10.100.120.153 # close connection after a timeout #idletimeout 100 # causes a cached connection to be dropped an recreated after a given ttl #conn-ttl 4294967294 # close connection after a timeout for ldap backend #idle-timeout 4294967294 # Discards current cached connection when the client rebinds - default to No #single-conn no overlay rwm rwm-suffixmassage "o=corp" "o=int" 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > > > Full_Name: Sebastien Prune THOMAS > > Version: slapd 2.4.31 > > OS: Linux CentOS > > URL: ftp://ftp.openldap.org/incoming/ > > Submission from: (NULL) (206.167.157.64) > > > > > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LDAP > > server. > > Every once and a while I have long lasting connections re-binding as > > anonymous, > > breaking the actual bind. > > This usualy happen after hitting either the idle-timeout or the conn-ttl > > limit. > > I wasn't able to find out what these values are when not set... but > > setting them > > low can help reproduce the problem : > > What is the configuration of back-ldap? Can you post it (after sanitizing > sensitive info)? > > p. > > -- > Pierangelo Masarati > Associate Professor > Dipartimento di Ingegneria Aerospaziale > Politecnico di Milano > >
> --20cf307811d0d379c404d032d6ee > Content-Type: text/plain; charset=ISO-8859-1 > > Config is basic (with special timeout tests commented out) : > > database ldap > suffix "o=corp" > uri ldaps://10.100.120.153 > > # close connection after a timeout > #idletimeout 100 > # causes a cached connection to be dropped an recreated after a given ttl > #conn-ttl 4294967294 > # close connection after a timeout for ldap backend > #idle-timeout 4294967294 > # Discards current cached connection when the client rebinds - default to > No > #single-conn no Try adding a "rebind-as-user" here. This forces back-ldap to store client's credentials in order to rebind when needed (e.g. because a persistent connection timed out). p. > overlay rwm > rwm-suffixmassage "o=corp" "o=int" > > > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > >> >> > Full_Name: Sebastien Prune THOMAS >> > Version: slapd 2.4.31 >> > OS: Linux CentOS >> > URL: ftp://ftp.openldap.org/incoming/ >> > Submission from: (NULL) (206.167.157.64) >> > >> > >> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory >> LDAP >> > server. >> > Every once and a while I have long lasting connections re-binding as >> > anonymous, >> > breaking the actual bind. >> > This usualy happen after hitting either the idle-timeout or the >> conn-ttl >> > limit. >> > I wasn't able to find out what these values are when not set... but >> > setting them >> > low can help reproduce the problem : >> >> What is the configuration of back-ldap? Can you post it (after >> sanitizing >> sensitive info)? >> >> p. >> >> -- >> Pierangelo Masarati >> Associate Professor >> Dipartimento di Ingegneria Aerospaziale >> Politecnico di Milano >> >> > > --20cf307811d0d379c404d032d6ee > Content-Type: text/html; charset=ISO-8859-1 > Content-Transfer-Encoding: quoted-printable > > <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with > spec= > ial timeout tests commented out) :</div><div > style=3D"font-family:Tahoma;fo= > nt-size:13px">=A0</div><div > style=3D"font-family:Tahoma;font-size:13px">dat= > abase =A0 =A0 =A0ldap<br> > suffix =A0 =A0 =A0 =A0 =A0 > =A0"o=3Dcorp"<br>uri=A0=A0=A0=A0=A0=A0= > =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div > style= > =3D"font-family:Tahoma;font-size:13px">=A0</div><div > style=3D"font-family:T= > ahoma;font-size:13px"># close connection after a timeout<br> > #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be dropped > = > an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0 > 4294967294= > <br># close connection after a timeout for ldap > backend<br>#idle-timeout=A0= > =A0=A0 4294967294<br># Discards current cached connection when the client > r= > ebinds - default to No<br> > #single-conn=A0=A0=A0=A0 no</div><div > style=3D"font-family:Tahoma;font-size= > :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage > "o= > =3Dcorp" "o=3Dint"</div><div > class=3D"gmail_extra"><br><br><= > div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span > dir=3D"ltr">&= > lt;<a href=3D"mailto:masarati@aero.polimi.it" > target=3D"_blank">masarati@ae= > ro.polimi.it</a>></span><br> > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 > .8ex;border-left:1p= > x #ccc solid;padding-left:1ex"><br> > > Full_Name: Sebastien Prune THOMAS<br> > > Version: slapd 2.4.31<br> > > OS: Linux CentOS<br> > > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" > target=3D"_blank">ft= > p://ftp.openldap.org/incoming/</a><br> > > Submission from: (NULL) (206.167.157.64)<br> > ><br> > ><br> > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory > LD= > AP<br> > > server.<br> > > Every once and a while I have long lasting connections re-binding > as<b= > r> > > anonymous,<br> > > breaking the actual bind.<br> > > This usualy happen after hitting either the idle-timeout or the > conn-t= > tl<br> > > limit.<br> > > I wasn't able to find out what these values are when not set... > bu= > t<br> > > setting them<br> > > low can help reproduce the problem :<br> > <br> > What is the configuration of back-ldap? =A0Can you post it (after > sanitizin= > g<br> > sensitive info)?<br> > <span class=3D"HOEnZb"><font color=3D"#888888"><br> > p.<br> > <br> > --<br> > Pierangelo Masarati<br> > Associate Professor<br> > Dipartimento di Ingegneria Aerospaziale<br> > Politecnico di Milano<br> > <br> > </font></span></blockquote></div><br></div> > > --20cf307811d0d379c404d032d6ee-- > > > > > -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Actualy I had this before and that did not change anything. I don't think this directive is used for this kind of "timeouts"... I also tried : *chase-referrals yes (this is default)* *rebind-as-user yes (as suggested here)** * *single-conn yes (default to NO)** * * * I also tried some combinings of idassert-bind options with no luck (as the backend does not support identity assertion). 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > > > --20cf307811d0d379c404d032d6ee > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Config is basic (with special timeout tests commented out) : > > > > database ldap > > suffix "o=corp" > > uri ldaps://10.100.120.153 > > > > # close connection after a timeout > > #idletimeout 100 > > # causes a cached connection to be dropped an recreated after a given ttl > > #conn-ttl 4294967294 > > # close connection after a timeout for ldap backend > > #idle-timeout 4294967294 > > # Discards current cached connection when the client rebinds - default to > > No > > #single-conn no > > > Try adding a "rebind-as-user" here. This forces back-ldap to store > client's credentials in order to rebind when needed (e.g. because a > persistent connection timed out). > > p. > > > overlay rwm > > rwm-suffixmassage "o=corp" "o=int" > > > > > > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > > > >> > >> > Full_Name: Sebastien Prune THOMAS > >> > Version: slapd 2.4.31 > >> > OS: Linux CentOS > >> > URL: ftp://ftp.openldap.org/incoming/ > >> > Submission from: (NULL) (206.167.157.64) > >> > > >> > > >> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory > >> LDAP > >> > server. > >> > Every once and a while I have long lasting connections re-binding as > >> > anonymous, > >> > breaking the actual bind. > >> > This usualy happen after hitting either the idle-timeout or the > >> conn-ttl > >> > limit. > >> > I wasn't able to find out what these values are when not set... but > >> > setting them > >> > low can help reproduce the problem : > >> > >> What is the configuration of back-ldap? Can you post it (after > >> sanitizing > >> sensitive info)? > >> > >> p. > >> > >> -- > >> Pierangelo Masarati > >> Associate Professor > >> Dipartimento di Ingegneria Aerospaziale > >> Politecnico di Milano > >> > >> > > > > --20cf307811d0d379c404d032d6ee > > Content-Type: text/html; charset=ISO-8859-1 > > Content-Transfer-Encoding: quoted-printable > > > > <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with > > spec= > > ial timeout tests commented out) :</div><div > > style=3D"font-family:Tahoma;fo= > > nt-size:13px">=A0</div><div > > style=3D"font-family:Tahoma;font-size:13px">dat= > > abase =A0 =A0 =A0ldap<br> > > suffix =A0 =A0 =A0 =A0 =A0 > > =A0"o=3Dcorp"<br>uri=A0=A0=A0=A0=A0=A0= > > =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div > > style= > > =3D"font-family:Tahoma;font-size:13px">=A0</div><div > > style=3D"font-family:T= > > ahoma;font-size:13px"># close connection after a timeout<br> > > #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be > dropped > > = > > an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0 > > 4294967294= > > <br># close connection after a timeout for ldap > > backend<br>#idle-timeout=A0= > > =A0=A0 4294967294<br># Discards current cached connection when the client > > r= > > ebinds - default to No<br> > > #single-conn=A0=A0=A0=A0 no</div><div > > style=3D"font-family:Tahoma;font-size= > > :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage > > "o= > > =3Dcorp" "o=3Dint"</div><div > > class=3D"gmail_extra"><br><br><= > > div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span > > dir=3D"ltr">&= > > lt;<a href=3D"mailto:masarati@aero.polimi.it" > > target=3D"_blank">masarati@ae= > > ro.polimi.it</a>></span><br> > > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 > > .8ex;border-left:1p= > > x #ccc solid;padding-left:1ex"><br> > > > Full_Name: Sebastien Prune THOMAS<br> > > > Version: slapd 2.4.31<br> > > > OS: Linux CentOS<br> > > > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" > > target=3D"_blank">ft= > > p://ftp.openldap.org/incoming/</a><br> > > > Submission from: (NULL) (206.167.157.64)<br> > > ><br> > > ><br> > > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory > > LD= > > AP<br> > > > server.<br> > > > Every once and a while I have long lasting connections re-binding > > as<b= > > r> > > > anonymous,<br> > > > breaking the actual bind.<br> > > > This usualy happen after hitting either the idle-timeout or the > > conn-t= > > tl<br> > > > limit.<br> > > > I wasn't able to find out what these values are when not set... > > bu= > > t<br> > > > setting them<br> > > > low can help reproduce the problem :<br> > > <br> > > What is the configuration of back-ldap? =A0Can you post it (after > > sanitizin= > > g<br> > > sensitive info)?<br> > > <span class=3D"HOEnZb"><font color=3D"#888888"><br> > > p.<br> > > <br> > > --<br> > > Pierangelo Masarati<br> > > Associate Professor<br> > > Dipartimento di Ingegneria Aerospaziale<br> > > Politecnico di Milano<br> > > <br> > > </font></span></blockquote></div><br></div> > > > > --20cf307811d0d379c404d032d6ee-- > > > > > > > > > > > > > -- > Pierangelo Masarati > Associate Professor > Dipartimento di Ingegneria Aerospaziale > Politecnico di Milano > >
Here is a quick python script that can be used to query a LDAP proxy. Running it while the proxy is configured with conn-ttl = 5 will trigget the error after 5 seconds: import ldap, sys, pprint, time ldap_server = "localhost" dn="cn=ldapintbind,o=corp" pw="your password here" con = ldap.initialize('ldap://' + ldap_server) try: #l.start_tls_s() con.simple_bind_s(dn, pw) con.set_option(ldap.OPT_DEREF,3) scope = ldap.SCOPE_SUBTREE base = "o=corp" filter ="(&(objectClass=*)(uid=dln))" retrieve_attributes = ["uid"] result_data = [] result_set = [] timeout = 0 essai=0 while 1: print(str(essai) + ".") essai+=1 result_id = con.search_s(base, scope, filter, retrieve_attributes) #pprint.pprint(result_id) time.sleep(1) except ldap.LDAPError, e: print e.message['info'] if type(e.message) == dict and e.message.has_key('desc'): print e.message['desc'] else: print e sys.exit() 2012/12/6 Sebastien Thomas <prune@lecentre.net> > Actualy I had this before and that did not change anything. I don't think > this directive is used for this kind of "timeouts"... > > I also tried : > > *chase-referrals yes (this is default)* > *rebind-as-user yes (as suggested here)** > * > *single-conn yes (default to NO)** > * > * > * > I also tried some combinings of idassert-bind options with no luck (as > the backend does not support identity assertion). > > > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > >> >> > --20cf307811d0d379c404d032d6ee >> > Content-Type: text/plain; charset=ISO-8859-1 >> > >> > Config is basic (with special timeout tests commented out) : >> > >> > database ldap >> > suffix "o=corp" >> > uri ldaps://10.100.120.153 >> > >> > # close connection after a timeout >> > #idletimeout 100 >> > # causes a cached connection to be dropped an recreated after a given >> ttl >> > #conn-ttl 4294967294 >> > # close connection after a timeout for ldap backend >> > #idle-timeout 4294967294 >> > # Discards current cached connection when the client rebinds - default >> to >> > No >> > #single-conn no >> >> >> Try adding a "rebind-as-user" here. This forces back-ldap to store >> client's credentials in order to rebind when needed (e.g. because a >> persistent connection timed out). >> >> p. >> >> > overlay rwm >> > rwm-suffixmassage "o=corp" "o=int" >> > >> > >> > 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> >> > >> >> >> >> > Full_Name: Sebastien Prune THOMAS >> >> > Version: slapd 2.4.31 >> >> > OS: Linux CentOS >> >> > URL: ftp://ftp.openldap.org/incoming/ >> >> > Submission from: (NULL) (206.167.157.64) >> >> > >> >> > >> >> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory >> >> LDAP >> >> > server. >> >> > Every once and a while I have long lasting connections re-binding as >> >> > anonymous, >> >> > breaking the actual bind. >> >> > This usualy happen after hitting either the idle-timeout or the >> >> conn-ttl >> >> > limit. >> >> > I wasn't able to find out what these values are when not set... but >> >> > setting them >> >> > low can help reproduce the problem : >> >> >> >> What is the configuration of back-ldap? Can you post it (after >> >> sanitizing >> >> sensitive info)? >> >> >> >> p. >> >> >> >> -- >> >> Pierangelo Masarati >> >> Associate Professor >> >> Dipartimento di Ingegneria Aerospaziale >> >> Politecnico di Milano >> >> >> >> >> > >> > --20cf307811d0d379c404d032d6ee >> > Content-Type: text/html; charset=ISO-8859-1 >> > Content-Transfer-Encoding: quoted-printable >> > >> > <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with >> > spec= >> > ial timeout tests commented out) :</div><div >> > style=3D"font-family:Tahoma;fo= >> > nt-size:13px">=A0</div><div >> > style=3D"font-family:Tahoma;font-size:13px">dat= >> > abase =A0 =A0 =A0ldap<br> >> > suffix =A0 =A0 =A0 =A0 =A0 >> > =A0"o=3Dcorp"<br>uri=A0=A0=A0=A0=A0=A0= >> > =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div >> > style= >> > =3D"font-family:Tahoma;font-size:13px">=A0</div><div >> > style=3D"font-family:T= >> > ahoma;font-size:13px"># close connection after a timeout<br> >> > #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be >> dropped >> > = >> > an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0 >> > 4294967294= >> > <br># close connection after a timeout for ldap >> > backend<br>#idle-timeout=A0= >> > =A0=A0 4294967294<br># Discards current cached connection when the >> client >> > r= >> > ebinds - default to No<br> >> > #single-conn=A0=A0=A0=A0 no</div><div >> > style=3D"font-family:Tahoma;font-size= >> > :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage >> > "o= >> > =3Dcorp" "o=3Dint"</div><div >> > class=3D"gmail_extra"><br><br><= >> > div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span >> > dir=3D"ltr">&= >> > lt;<a href=3D"mailto:masarati@aero.polimi.it" >> > target=3D"_blank">masarati@ae= >> > ro.polimi.it</a>></span><br> >> > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 >> > .8ex;border-left:1p= >> > x #ccc solid;padding-left:1ex"><br> >> > > Full_Name: Sebastien Prune THOMAS<br> >> > > Version: slapd 2.4.31<br> >> > > OS: Linux CentOS<br> >> > > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" >> > target=3D"_blank">ft= >> > p://ftp.openldap.org/incoming/</a><br> >> > > Submission from: (NULL) (206.167.157.64)<br> >> > ><br> >> > ><br> >> > > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory >> > LD= >> > AP<br> >> > > server.<br> >> > > Every once and a while I have long lasting connections re-binding >> > as<b= >> > r> >> > > anonymous,<br> >> > > breaking the actual bind.<br> >> > > This usualy happen after hitting either the idle-timeout or the >> > conn-t= >> > tl<br> >> > > limit.<br> >> > > I wasn't able to find out what these values are when not set... >> > bu= >> > t<br> >> > > setting them<br> >> > > low can help reproduce the problem :<br> >> > <br> >> > What is the configuration of back-ldap? =A0Can you post it (after >> > sanitizin= >> > g<br> >> > sensitive info)?<br> >> > <span class=3D"HOEnZb"><font color=3D"#888888"><br> >> > p.<br> >> > <br> >> > --<br> >> > Pierangelo Masarati<br> >> > Associate Professor<br> >> > Dipartimento di Ingegneria Aerospaziale<br> >> > Politecnico di Milano<br> >> > <br> >> > </font></span></blockquote></div><br></div> >> > >> > --20cf307811d0d379c404d032d6ee-- >> > >> > >> > >> > >> > >> >> >> -- >> Pierangelo Masarati >> Associate Professor >> Dipartimento di Ingegneria Aerospaziale >> Politecnico di Milano >> >> >
> --20cf307811d0eb756704d0342092 > Content-Type: text/plain; charset=ISO-8859-1 > > Actualy I had this before and that did not change anything. I don't think > this directive is used for this kind of "timeouts"... > > I also tried : > > *chase-referrals yes (this is default)* > *rebind-as-user yes (as suggested here)** > * > *single-conn yes (default to NO)** > * > * > * > I also tried some combinings of idassert-bind options with no luck (as the > backend does not support identity assertion). By backend do you mean the remote server you're trying to proxy? I see your problem. Indeed, when a connection is pruned (in your case because it timed out), information about client's credentials is lost. Back-ldap is working incorrectly, since it falls back to trying to rebind anonymously. However, the only other reasonable option could only be to return a meaningful error (or dropping the connection with the client). Things work fine with identity assertion, because in that case the client's credentials are no longer needed, what counts is that the client's connection is alive and authenticated, so the client's identity can be asserted. You'd need to do something like idassert-bind bindmethod=simple binddn="<authorizing dn>" credentials="<authorizing credentials>" mode=self flags=override (tested, works fine). However, I understood from what you wrote above that this is not an option. I see one quick solution: bail out when the connection is lost and idassert is not going to take place. This requires a minimal patch. An alternative could be to find a decent manner to store the client's credentials in the frontend's connection with the client (as much as we do for the client's identity in c_authz). This will live as long as the client's connection stays alive (something like what we do for paged results). [disclaimer: I'll look into this time permitting; I can't commit to fixing it any soon] p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Setting the timeout to 4294967294 should to the trick for now... but this is really a sort of bug to me as back-ldap should not behave this way when he have no credentials to use... Surely, closing the connexion with the client may be the best solution... 2012/12/6 Pierangelo Masarati <masarati@aero.polimi.it> > > > --20cf307811d0eb756704d0342092 > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Actualy I had this before and that did not change anything. I don't think > > this directive is used for this kind of "timeouts"... > > > > I also tried : > > > > *chase-referrals yes (this is default)* > > *rebind-as-user yes (as suggested here)** > > * > > *single-conn yes (default to NO)** > > * > > * > > * > > I also tried some combinings of idassert-bind options with no luck (as > the > > backend does not support identity assertion). > > By backend do you mean the remote server you're trying to proxy? > > I see your problem. Indeed, when a connection is pruned (in your case > because it timed out), information about client's credentials is lost. > Back-ldap is working incorrectly, since it falls back to trying to rebind > anonymously. However, the only other reasonable option could only be to > return a meaningful error (or dropping the connection with the client). > > Things work fine with identity assertion, because in that case the > client's credentials are no longer needed, what counts is that the > client's connection is alive and authenticated, so the client's identity > can be asserted. > > You'd need to do something like > > idassert-bind bindmethod=simple > binddn="<authorizing dn>" > credentials="<authorizing credentials>" > mode=self > flags=override > > (tested, works fine). However, I understood from what you wrote above > that this is not an option. > > I see one quick solution: bail out when the connection is lost and > idassert is not going to take place. This requires a minimal patch. > > An alternative could be to find a decent manner to store the client's > credentials in the frontend's connection with the client (as much as we do > for the client's identity in c_authz). This will live as long as the > client's connection stays alive (something like what we do for paged > results). > > [disclaimer: I'll look into this time permitting; I can't commit to fixing > it any soon] > > p. > > -- > Pierangelo Masarati > Associate Professor > Dipartimento di Ingegneria Aerospaziale > Politecnico di Milano > >
moved from Incoming to Software Bugs
fixed for ITS#8142
changed notes changed state Open to Closed