[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: back-meta (Was: (ITS#3971) slapo-glue dissolving after one query)


Well, I tried the latest RE23 code, and still ran into the same problem,
ldapsearch reports err=51, you can find the complete loglevel -1 log and
relevant detail bits at


> >> -----Original Message-----
> >> From: Pierangelo Masarati [mailto:ando@sys-net.it]
> >> Sent: Thursday, August 25, 2005 3:39 PM
> >> To: Perry Nguyen
> >> Cc: 'openldap-software@openldap.org
> >> Subject: Re: back-meta (Was: (ITS#3971) slapo-glue dissolving
> >> after one query)

> >> Perry Nguyen wrote:

> >> >1, yes, this error still occurs when no gluing is going on,
> >> I have the full
> >> >loglevel -1 trace and commands used/input at
> >> >http://w3.gofti.com/~pfnguyen/openldap/ldapsearch-bad-meta.txt

> >> I haven't gone into details yet, but I believe this issue
> >> with back-meta
> >> may have been cured in current re23 (i.e. code candidate for
> >> release as
> >> next 2.3).  Similar behavior was observed some time because
> >> ldap_result() after asynchoronous bind was called with 0
> >> timeout, i.e.
> >> for a poll.  This has been reported to result in a storm of
> >> pollings.  I
> >> wonder if you can give it a quick try.

> I didn't have much time to look at your logs; however, it 
> appears that few
> of them actually have to do expressly with back-ldap or back-meta;
> significantly, all those involving ldaps:// seem to have 
> mostly to do with
> certificate checking (I couldn't tell if on the reomte or the local
> server's side).  I suggest we try to work each issue out separately. 
> First of all you should try and set up something working (either with
> back-meta or back-ldap) with plain ldap://; given the recent 
> improvements
> in both, I'd suggest you try with the latest OpenLDAP 2.3 
> code.  If the
> setup works as expected, you can do some more tests about 
> ldaps://; they
> should mostly likely end up with requiring/disabling either remote
> server-side or proxy-side certificate checking, based on your
> requirements, and providing the appropriate configuration if 
> certificate
> checking is required.  Note that back-ldap in 2.3 also allows 
> to configure
> the use if Start TLS and TLS propagation (i.e. proxy with TLS 
> only if it
> was used in the connection from the client to the proxy).  If 
> testing with
> back-ldap yields positive results, I plan to extend this capability to
> back-meta.