[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7464) ldap_back_dobind_int breaking binded user

To: openldap-its@OpenLDAP.org
Subject: (ITS#7464) ldap_back_dobind_int breaking binded user
From: prune@lecentre.net
Date: Thu, 6 Dec 2012 16:58:40 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Sebastien Prune THOMAS
Version: slapd 2.4.31
OS: Linux CentOS
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (206.167.157.64)


I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LDAP
server.
Every once and a while I have long lasting connections re-binding as anonymous,
breaking the actual bind.
This usualy happen after hitting either the idle-timeout or the conn-ttl limit.
I wasn't able to find out what these values are when not set... but setting them
low can help reproduce the problem : 

Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 fd=39 ACCEPT from
IP=10.100.64.68:33906 (IP=0.0.0.0:389)
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 BIND
dn="cn=ldapintbind,o=corp" method=128
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 BIND
dn="cn=ldapintbind,o=shq" mech=SIMPLE ssf=0
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 RESULT tag=97 err=0 text=
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SRCH base="o=corp" scope=2
deref=3 filter="(&(objectClass=*)(uid=pry))"
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SRCH attr=uid
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=2 CMP
dn="cn=00-BASICAUTH,o=corp" attr="member"
Dec  5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=2 RESULT tag=111 err=6
text=
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SRCH base="o=corp" scope=2
deref=3 filter="(&(objectClass=*)(uid=dln))"
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SRCH attr=uid
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 ldap_back_retry: retrying
URI="ldaps://10.100.120.153" DN="cn=ldapintbindo=corp"
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 ldap_back_dobind_int:
DN="cn=ldapintbind,o=corp" without creds, binding anonymously
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=4 CMP
dn="cn=00-BASICAUTH,o=corp" attr="member"
Dec  6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=4 RESULT tag=111 err=5
text=
Dec  6 09:23:28 qxpldp01 slapd[40707]: conn=1095 fd=39 closed (slapd shutdown)

There, the connection is opened on december the 5... then idle... then another
search is done on december the 6... and leads to a re-bind...

Either, I don't understand why :

- openldap don't re-use the credential of the first bind
OR
- openldap simply end the TCP connection when the timeout is reached instead of
re-using it like if it was a new connection --- > the client is not aware of
that and still thinks the last bind is valid.

I tried every option I could without success... 

For now, I set the conn-ttl and idle-timeout to the max an unsigned long could
support : 4294967294

Any other solution apreciated...

Prev by Date: Re: (ITS#7456) slapo-smbk5pwd: Makefile with -L
Next by Date: Re: (ITS#7464) ldap_back_dobind_int breaking binded user
Index(es):
- Chronological
- Thread