Re: (ITS#7464) ldap_back_dobind_int breaking binded user

masarati Thu, 06 Dec 2012 10:30:35 -0800

> --20cf307811d0d379c404d032d6ee
> Content-Type: text/plain; charset=ISO-8859-1
>
> Config is basic (with special timeout tests commented out) :
>
> database      ldap
> suffix            "o=corp"
> uri                 ldaps://10.100.120.153
>
> # close connection after a timeout
> #idletimeout     100
> # causes a cached connection to be dropped an recreated after a given ttl
> #conn-ttl        4294967294
> # close connection after a timeout for ldap backend
> #idle-timeout    4294967294
> # Discards current cached connection when the client rebinds - default to
> No
> #single-conn     no



Try adding a "rebind-as-user" here.  This forces back-ldap to store
client's credentials in order to rebind when needed (e.g. because a
persistent connection timed out).

p.

> overlay         rwm
> rwm-suffixmassage "o=corp" "o=int"
>
>
> 2012/12/6 Pierangelo Masarati <[email protected]>
>
>>
>> > Full_Name: Sebastien Prune THOMAS
>> > Version: slapd 2.4.31
>> > OS: Linux CentOS
>> > URL: ftp://ftp.openldap.org/incoming/
>> > Submission from: (NULL) (206.167.157.64)
>> >
>> >
>> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory
>> LDAP
>> > server.
>> > Every once and a while I have long lasting connections re-binding as
>> > anonymous,
>> > breaking the actual bind.
>> > This usualy happen after hitting either the idle-timeout or the
>> conn-ttl
>> > limit.
>> > I wasn't able to find out what these values are when not set... but
>> > setting them
>> > low can help reproduce the problem :
>>
>> What is the configuration of back-ldap?  Can you post it (after
>> sanitizing
>> sensitive info)?
>>
>> p.
>>
>> --
>> Pierangelo Masarati
>> Associate Professor
>> Dipartimento di Ingegneria Aerospaziale
>> Politecnico di Milano
>>
>>
>
> --20cf307811d0d379c404d032d6ee
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> <div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with
> spec=
> ial timeout tests commented out) :</div><div
> style=3D"font-family:Tahoma;fo=
> nt-size:13px">=A0</div><div
> style=3D"font-family:Tahoma;font-size:13px">dat=
> abase =A0 =A0 =A0ldap<br>
> suffix =A0 =A0 =A0 =A0 =A0
> =A0&quot;o=3Dcorp&quot;<br>uri=A0=A0=A0=A0=A0=A0=
> =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div
> style=
> =3D"font-family:Tahoma;font-size:13px">=A0</div><div
> style=3D"font-family:T=
> ahoma;font-size:13px"># close connection after a timeout<br>
> #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be dropped
> =
> an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0
> 4294967294=
> <br># close connection after a timeout for ldap
> backend<br>#idle-timeout=A0=
> =A0=A0 4294967294<br># Discards current cached connection when the client
> r=
> ebinds - default to No<br>
> #single-conn=A0=A0=A0=A0 no</div><div
> style=3D"font-family:Tahoma;font-size=
> :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage
> &quot;o=
> =3Dcorp&quot; &quot;o=3Dint&quot;</div><div
> class=3D"gmail_extra"><br><br><=
> div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span
> dir=3D"ltr">&=
> lt;<a href=3D"mailto:[email protected]";
> target=3D"_blank">masarati@ae=
> ro.polimi.it</a>&gt;</span><br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
> .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex"><br>
> &gt; Full_Name: Sebastien Prune THOMAS<br>
> &gt; Version: slapd 2.4.31<br>
> &gt; OS: Linux CentOS<br>
> &gt; URL: <a href=3D"ftp://ftp.openldap.org/incoming/";
> target=3D"_blank">ft=
> p://ftp.openldap.org/incoming/</a><br>
> &gt; Submission from: (NULL) (206.167.157.64)<br>
> &gt;<br>
> &gt;<br>
> &gt; I use OpenLdap to proxy (with the module back-ldap) to a eDirectory
> LD=
> AP<br>
> &gt; server.<br>
> &gt; Every once and a while I have long lasting connections re-binding
> as<b=
> r>
> &gt; anonymous,<br>
> &gt; breaking the actual bind.<br>
> &gt; This usualy happen after hitting either the idle-timeout or the
> conn-t=
> tl<br>
> &gt; limit.<br>
> &gt; I wasn&#39;t able to find out what these values are when not set...
> bu=
> t<br>
> &gt; setting them<br>
> &gt; low can help reproduce the problem :<br>
> <br>
> What is the configuration of back-ldap? =A0Can you post it (after
> sanitizin=
> g<br>
> sensitive info)?<br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> p.<br>
> <br>
> --<br>
> Pierangelo Masarati<br>
> Associate Professor<br>
> Dipartimento di Ingegneria Aerospaziale<br>
> Politecnico di Milano<br>
> <br>
> </font></span></blockquote></div><br></div>
>
> --20cf307811d0d379c404d032d6ee--
>
>
>
>
>


-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano

Re: (ITS#7464) ldap_back_dobind_int breaking binded user

Reply via email to