[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Session Resumption problems with JSSE-OpenLDAP

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: RE: Session Resumption problems with JSSE-OpenLDAP
From: "Howard Chu" <hyc@symas.com>
Date: Wed, 4 Sep 2002 21:04:17 -0700
Cc: <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <5.1.0.14.0.20020904175819.0451cf30@127.0.0.1>

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> >Since the LDAP structure itself is freed during an unbind, I had
> to manually
> >retrieve the SSL pointer [ldap_get_option(ld,
> LDAP_OPT_X_TLS_SSL_CTX)] at the
> >app level. I added an ld->ld_ssl field to temporarily hold the SSL pointer
> >and a set_option() to set its value. In ldap_int_tls_connect I
> check for and
> >use the field and zero it, so re-use only happens once. It's not
> clear how to
> >make this work for an LDAP handle that has multiple active connections.
>
> Or when multiple hostnames for one are provided... or when one
> hostname refers to multiple addresses, possible different servers,
> ..., etc..

Yes... Times like these I'd like an ldap_unbind that was less thorough in its
teardown. We could leave the parsed URL and other hostname resolution results
cached, to speed up reconnects to a given server. I used this approach in my
HTTP library. Of course, it made sense for an HTTP client because you're
likely to open many connections to the same server, and this was before
HTTP/1.1 was widespread and connection-caching wasn't well supported.

I never timed out my cached HTTP connection info, so it would be possible to
get stuck with stale data if a domain was being updated while you were
browsing. Pretty darn unlikely. Also, the cache was small, maybe a dozen
connections' worth, so you'd turn it over pretty quickly anyway in an average
session. Applying this to an LDAP context is a bit different; I mainly see
this feature being useful for an LDAP proxy and/or pam/nss sorts of
long-lived uses. pam/nss is likely to only need to know about one server for
its whole lifetime, so an LRU DNS cache without aging would be bad.

Still, there might be a good reason to hang on to all the ldap_conn
structures that were built on a particular LDAP session, after unbind.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- RE: Session Resumption problems with JSSE-OpenLDAP
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: Session Resumption problems with JSSE-OpenLDAP
Next by Date: Proxy cache extension for OpenLDAP
Index(es):
- Chronological
- Thread