mhardin@symas.com wrote:
Remote directory servers that do not answer a bind request within the timeout period will cause an assertion failure in back-meta.
Analysis: The meta_back_bind() function calls either meta_back_proxy_authz_bind() if the bind is taking place with back_meta's rootdn or meta_back_single_bind() if it's not.
Once they make the appropriate bind function call, each of these functions calls meta_back_bind_op_result() to process the result of the bind. Neither meta_back_proxy_authz_bind() or meta_back_single_bind() set the LDAP_BACK_CONN_BINDING state.
Because it's meta_back_getconn() that's supposed to set that flag when appropriate.
When meta_back_bind_op_result() calls ldap_result(), one of the possible return codes is 0, and meta_back_bind_op_result() will repeat the ldap_result() call, provided the timeout hasn't been exceeded or back-meta has been told not to retry.
If the wait time has been exceeded the code falls through to an assert(LDAP_BACK_CONN_BINDING(msc)) statement. This assert is only valid when meta_back_do_bind() has made the function call, and it will fail if either meta_back_proxy_authz_bind() or meta_back_single_bind() made the function call.
The assert **should** always be valid. Its execution indicates that there's an error somewhere else.
Does this happen when binding as the rootdn of the back-meta instance, or as a regular user? If it occurs when binding as the rootdn, then I think I know where the problem is. In that case, apart from me fixing the problem (working at it...), you should also use "pseudoroot-bind-defer yes".
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------