[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: back-meta (Was: (ITS#3971) slapo-glue dissolving after one query)
- To: "Perry Nguyen" <pfnguyen@best.com>
- Subject: RE: back-meta (Was: (ITS#3971) slapo-glue dissolving after one query)
- From: "Pierangelo Masarati" <ando@sys-net.it>
- Date: Tue, 30 Aug 2005 18:31:23 +0200 (CEST)
- Cc: openldap-software@OpenLDAP.org
- Importance: Normal
- In-reply-to: <200508301621.j7UGLlbn017852@ares.gofti.com>
- References: <430E4876.4060007@sys-net.it> <200508301621.j7UGLlbn017852@ares.gofti.com>
- User-agent: SquirrelMail/1.4.3a-1
> I don't think any of our emails made it to the list...
Well, a couple of them apparently did :)
>
>> -----Original Message-----
>> From: Pierangelo Masarati [mailto:ando@sys-net.it]
>> Sent: Thursday, August 25, 2005 3:39 PM
>> To: Perry Nguyen
>> Cc: 'openldap-software@openldap.org
>> Subject: Re: back-meta (Was: (ITS#3971) slapo-glue dissolving
>> after one query)
>>
>> Perry Nguyen wrote:
>>
>> >1, yes, this error still occurs when no gluing is going on,
>> I have the full
>> >loglevel -1 trace and commands used/input at
>> >http://w3.gofti.com/~pfnguyen/openldap/ldapsearch-bad-meta.txt
>> >
>> >
>> I haven't gone into details yet, but I believe this issue
>> with back-meta
>> may have been cured in current re23 (i.e. code candidate for
>> release as
>> next 2.3). Similar behavior was observed some time because
>> ldap_result() after asynchoronous bind was called with 0
>> timeout, i.e.
>> for a poll. This has been reported to result in a storm of
>> pollings. I
>> wonder if you can give it a quick try.
I didn't have much time to look at your logs; however, it appears that few
of them actually have to do expressly with back-ldap or back-meta;
significantly, all those involving ldaps:// seem to have mostly to do with
certificate checking (I couldn't tell if on the reomte or the local
server's side). I suggest we try to work each issue out separately.
First of all you should try and set up something working (either with
back-meta or back-ldap) with plain ldap://; given the recent improvements
in both, I'd suggest you try with the latest OpenLDAP 2.3 code. If the
setup works as expected, you can do some more tests about ldaps://; they
should mostly likely end up with requiring/disabling either remote
server-side or proxy-side certificate checking, based on your
requirements, and providing the appropriate configuration if certificate
checking is required. Note that back-ldap in 2.3 also allows to configure
the use if Start TLS and TLS propagation (i.e. proxy with TLS only if it
was used in the connection from the client to the proxy). If testing with
back-ldap yields positive results, I plan to extend this capability to
back-meta.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497