[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8142) back-ldap transparent reconnecting is not so transparent

ebackes@symas.com wrote:
> Full_Name: Emily Backes
> Version: 2.4
> OS:
> URL:
> Submission from: (NULL) (
> Currently, back-ldap stores credentials in the outbound connection
> structure.  When that disappears, e.g. from idle-timeout, conn-ttl,
> network lossage, AD trouble, etc., the connection becomes unbound and
> AD returns err=1 (Operations error), which isn't enougfofor back-ldap
> to treat it as LDAP_UNAVAILABLE.
> Howard reports this is working-as-designed, even if the design is bad.
> Several ITS filings are still open about this problem; 5110, 6571, and
> 7464 are all related.
> At a minimum, we should drop the client connection if we can't keep
> the session stable.

This is not as simple as it sounds. In particular, back-ldap may be part of a 
larger glued tree of backends. A failure to search in the back-ldap context 
should not prevent the rest of the glued tree from being searched, and it 
should not drop the client connection.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/