[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7008) paged results against ldap-proxy errors with 'cookie is invalid'

> Sounds like this may be related to ITS#6817. Please try adding a dummy
> binddn
> to your idassert-bind directive and re-test.

First of all, I believe the real problem is that pr should not be used by
the client in the first place.

However, the cause of the issue might be something slightly different:
back-ldap uses a pool of connections for special identities, including
anonymous and rootdn; the latter is the case when identity assertion is
used.  So it seems plausible that although the client uses the same
connection for repeated paged results requests, the proxy is using
different ones.

We already discussed the possibility to specially handle pr in proxies, in
order to decouple its use by the client and the remote server.  If slapd
handles pr in the frontend, a proxy does not need to propagate pr requests
to the remote server.  Similarly, if a remote server *needs* pr, the
client must not necessarily know about it.

Something like this has already been implemented in back-meta(5), which
can be instructed to silently continue unsolicited pr responses without
informing the client about them (I should have ported this to back-ldap(5)
as well).

If this is the case (need to investigate in detail, yet), a quick fix
could be to detect the presence of pr on a request, and bind the cookie to
a specific connection until that cookie is gone.  One thing that could be
tried is to use slapo-sssvlv(5) on top of back-ldap and let it deal with
the pr request.