[Date Prev][Date Next]
Re: (ITS#4387) slapd-ldap backend leaks descriptors on closed connections on x86_64
>> Let me
>> point out that in my opinion reusing a bound connection to rebind with a
>> different identity sounds like a poor client design.
> In my opinion it's a very good design in the given case - the role ot
> Courier's authdaemon (among other roles, e.g. account lookup) is to
> check validity of user credentials.
> It does multiple credential checks on a single LDAP connection to
> conserve resources - to test a password, it doesn't need to open a new
> LDAP connection every time and then close it .
> This is a good design from the performance perspective, and I'd
> speculate that LDAP protocol permits multiple bind operations per
> connection because its designers have foreseen this usage scenario
> (LDAP was designed as a network authentication protocol, among other
Actually not, but it has been used as such simply because it accomodates
such a rich set of authentication mechanisms.
There's a simple tradeoff here - if you use a single connection for all
Binds, you must fully serialize the procedure, because the receipt of
any Bind request automatically aborts any other outstanding requests on
the connection. If you use multiple connections, you can have multiple
authentication attempts in progress at once. For back-ldap, we felt it
was more important to support high concurrency.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/