Full_Name: Emily Backes Version: 2.4 OS: URL: Submission from: (NULL) (50.113.67.84) Currently, back-ldap stores credentials in the outbound connection structure. When that disappears, e.g. from idle-timeout, conn-ttl, network lossage, AD trouble, etc., the connection becomes unbound and AD returns err=1 (Operations error), which isn't enougfofor back-ldap to treat it as LDAP_UNAVAILABLE. Howard reports this is working-as-designed, even if the design is bad. Several ITS filings are still open about this problem; 5110, 6571, and 7464 are all related. At a minimum, we should drop the client connection if we can't keep the session stable. If we keep it open, we need to ensure we can precisely duplicate the client session-state, including credentials. (this would be very useful).
ebackes@symas.com wrote: > Full_Name: Emily Backes > Version: 2.4 > OS: > URL: > Submission from: (NULL) (50.113.67.84) > > > Currently, back-ldap stores credentials in the outbound connection > structure. When that disappears, e.g. from idle-timeout, conn-ttl, > network lossage, AD trouble, etc., the connection becomes unbound and > AD returns err=1 (Operations error), which isn't enougfofor back-ldap > to treat it as LDAP_UNAVAILABLE. > > Howard reports this is working-as-designed, even if the design is bad. > Several ITS filings are still open about this problem; 5110, 6571, and > 7464 are all related. > > At a minimum, we should drop the client connection if we can't keep > the session stable. This is not as simple as it sounds. In particular, back-ldap may be part of a larger glued tree of backends. A failure to search in the back-ldap context should not prevent the rest of the glued tree from being searched, and it should not drop the client connection. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes
hyc@symas.com wrote: > ebackes@symas.com wrote: >> Full_Name: Emily Backes >> Version: 2.4 >> OS: >> URL: >> Submission from: (NULL) (50.113.67.84) >> >> >> Currently, back-ldap stores credentials in the outbound connection >> structure. When that disappears, e.g. from idle-timeout, conn-ttl, >> network lossage, AD trouble, etc., the connection becomes unbound and >> AD returns err=1 (Operations error), which isn't enougfofor back-ldap >> to treat it as LDAP_UNAVAILABLE. >> >> Howard reports this is working-as-designed, even if the design is bad. >> Several ITS filings are still open about this problem; 5110, 6571, and >> 7464 are all related. #5110 looks unrelated actually. >> At a minimum, we should drop the client connection if we can't keep >> the session stable. > > This is not as simple as it sounds. In particular, back-ldap may be part of a > larger glued tree of backends. A failure to search in the back-ldap context > should not prevent the rest of the glued tree from being searched, and it > should not drop the client connection. > Fixed now in master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Test to Release
fixed in master fixed in RE25 fixed in RE24 see ITS#7464 for more detailed discussion
changed notes changed state Release to Closed