Full_Name: Sebastien Prune THOMAS Version: slapd 2.4.31 OS: Linux CentOS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (206.167.157.64)
I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LDAP server. Every once and a while I have long lasting connections re-binding as anonymous, breaking the actual bind. This usualy happen after hitting either the idle-timeout or the conn-ttl limit. I wasn't able to find out what these values are when not set... but setting them low can help reproduce the problem :
Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 fd=39 ACCEPT from IP=10.100.64.68:33906 (IP=0.0.0.0:389) Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 BIND dn="cn=ldapintbind,o=corp" method=128 Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 BIND dn="cn=ldapintbind,o=shq" mech=SIMPLE ssf=0 Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=0 RESULT tag=97 err=0 text= Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SRCH base="o=corp" scope=2 deref=3 filter="(&(objectClass=*)(uid=pry))" Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SRCH attr=uid Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=2 CMP dn="cn=00-BASICAUTH,o=corp" attr="member" Dec 5 12:50:19 qxpldp01 slapd[40707]: conn=1095 op=2 RESULT tag=111 err=6 text= Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SRCH base="o=corp" scope=2 deref=3 filter="(&(objectClass=*)(uid=dln))" Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SRCH attr=uid Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 ldap_back_retry: retrying URI="ldaps://10.100.120.153" DN="cn=ldapintbindo=corp" Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 ldap_back_dobind_int: DN="cn=ldapintbind,o=corp" without creds, binding anonymously Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=4 CMP dn="cn=00-BASICAUTH,o=corp" attr="member" Dec 6 09:22:51 qxpldp01 slapd[40707]: conn=1095 op=4 RESULT tag=111 err=5 text= Dec 6 09:23:28 qxpldp01 slapd[40707]: conn=1095 fd=39 closed (slapd shutdown)
There, the connection is opened on december the 5... then idle... then another search is done on december the 6... and leads to a re-bind...
Either, I don't understand why :
- openldap don't re-use the credential of the first bind OR - openldap simply end the TCP connection when the timeout is reached instead of re-using it like if it was a new connection --- > the client is not aware of that and still thinks the last bind is valid.
I tried every option I could without success...
For now, I set the conn-ttl and idle-timeout to the max an unsigned long could support : 4294967294
Any other solution apreciated...