[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5185) assertion failure in back-meta when the remote directory does not answer a bind request within the time allotted

mhardin@symas.com wrote:

> Remote directory servers that do not answer a bind request within the timeout
> period will cause an assertion failure in back-meta.
> Analysis:
> The meta_back_bind() function calls either meta_back_proxy_authz_bind() if the
> bind is taking place with back_meta's rootdn or meta_back_single_bind() if it's
> not. 
> Once they make the appropriate bind function call, each of these functions calls
> meta_back_bind_op_result() to process the result of the bind. Neither
> meta_back_proxy_authz_bind() or meta_back_single_bind() set the

Because it's meta_back_getconn() that's supposed to set that flag when

> When meta_back_bind_op_result() calls ldap_result(), one of the possible return
> codes is 0, and meta_back_bind_op_result() will repeat the ldap_result() call,
> provided the timeout hasn't been exceeded or back-meta has been told not to
> retry. 
> If the wait time has been exceeded the code falls through to an
> assert(LDAP_BACK_CONN_BINDING(msc)) statement. This assert is only valid when
> meta_back_do_bind() has made the function call, and it will fail if either
> meta_back_proxy_authz_bind() or meta_back_single_bind() made the function call.

The assert **should** always be valid.  Its execution indicates that
there's an error somewhere else.

Does this happen when binding as the rootdn of the back-meta instance,
or as a regular user?  If it occurs when binding as the rootdn, then I
think I know where the problem is.  In that case, apart from me fixing
the problem (working at it...), you should also use
"pseudoroot-bind-defer yes".


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it