--20cf307d04d2686d3904d0343c02 Content-Type: text/plain; charset=ISO-8859-1
Here is a quick python script that can be used to query a LDAP proxy. Running it while the proxy is configured with conn-ttl = 5 will trigget the error after 5 seconds:
import ldap, sys, pprint, time
ldap_server = "localhost" dn="cn=ldapintbind,o=corp" pw="your password here"
con = ldap.initialize('ldap://' + ldap_server) try: #l.start_tls_s() con.simple_bind_s(dn, pw) con.set_option(ldap.OPT_DEREF,3)
scope = ldap.SCOPE_SUBTREE base = "o=corp" filter ="(&(objectClass=*)(uid=dln))" retrieve_attributes = ["uid"] result_data = [] result_set = [] timeout = 0
essai=0 while 1: print(str(essai) + ".") essai+=1
result_id = con.search_s(base, scope, filter, retrieve_attributes) #pprint.pprint(result_id)
time.sleep(1)
except ldap.LDAPError, e: print e.message['info'] if type(e.message) == dict and e.message.has_key('desc'): print e.message['desc'] else: print e sys.exit()
2012/12/6 Sebastien Thomas prune@lecentre.net
Actualy I had this before and that did not change anything. I don't think this directive is used for this kind of "timeouts"...
I also tried :
*chase-referrals yes (this is default)* *rebind-as-user yes (as suggested here)**
*single-conn yes (default to NO)**
I also tried some combinings of idassert-bind options with no luck (as the backend does not support identity assertion).
2012/12/6 Pierangelo Masarati masarati@aero.polimi.it
--20cf307811d0d379c404d032d6ee Content-Type: text/plain; charset=ISO-8859-1
Config is basic (with special timeout tests commented out) :
database ldap suffix "o=corp" uri ldaps://10.100.120.153
# close connection after a timeout #idletimeout 100 # causes a cached connection to be dropped an recreated after a given
ttl
#conn-ttl 4294967294 # close connection after a timeout for ldap backend #idle-timeout 4294967294 # Discards current cached connection when the client rebinds - default
to
No #single-conn no
Try adding a "rebind-as-user" here. This forces back-ldap to store client's credentials in order to rebind when needed (e.g. because a persistent connection timed out).
p.
overlay rwm rwm-suffixmassage "o=corp" "o=int"
2012/12/6 Pierangelo Masarati masarati@aero.polimi.it
Full_Name: Sebastien Prune THOMAS Version: slapd 2.4.31 OS: Linux CentOS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (206.167.157.64)
I use OpenLdap to proxy (with the module back-ldap) to a eDirectory
LDAP
server. Every once and a while I have long lasting connections re-binding as anonymous, breaking the actual bind. This usualy happen after hitting either the idle-timeout or the
conn-ttl
limit. I wasn't able to find out what these values are when not set... but setting them low can help reproduce the problem :
What is the configuration of back-ldap? Can you post it (after sanitizing sensitive info)?
p.
-- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
--20cf307811d0d379c404d032d6ee Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
<div style=3D"font-family:Tahoma;font-size:13px">Config is basic (with spec= ial timeout tests commented out) :</div><div style=3D"font-family:Tahoma;fo= nt-size:13px">=A0</div><div style=3D"font-family:Tahoma;font-size:13px">dat= abase =A0 =A0 =A0ldap<br> suffix =A0 =A0 =A0 =A0 =A0 =A0"o=3Dcorp"<br>uri=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0 =A0 =A0<a>ldaps://10.100.120.153</a></div><div style= =3D"font-family:Tahoma;font-size:13px">=A0</div><div style=3D"font-family:T= ahoma;font-size:13px"># close connection after a timeout<br> #idletimeout=A0=A0=A0=A0 100<br># causes a cached connection to be
dropped
= an recreated after a given ttl<br>#conn-ttl=A0=A0=A0=A0=A0=A0=A0 4294967294= <br># close connection after a timeout for ldap backend<br>#idle-timeout=A0= =A0=A0 4294967294<br># Discards current cached connection when the
client
r= ebinds - default to No<br> #single-conn=A0=A0=A0=A0 no</div><div style=3D"font-family:Tahoma;font-size= :13px"><br>overlay=A0=A0=A0=A0=A0=A0=A0=A0 rwm<br>rwm-suffixmassage "o= =3Dcorp" "o=3Dint"</div><div class=3D"gmail_extra"><br><br><= div class=3D"gmail_quote">2012/12/6 Pierangelo Masarati <span dir=3D"ltr">&= lt;<a href=3D"mailto:masarati@aero.polimi.it" target=3D"_blank">masarati@ae= ro.polimi.it</a>></span><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"><br> > Full_Name: Sebastien Prune THOMAS<br> > Version: slapd 2.4.31<br> > OS: Linux CentOS<br> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_blank">ft= p://ftp.openldap.org/incoming/</a><br> > Submission from: (NULL) (206.167.157.64)<br> ><br> ><br> > I use OpenLdap to proxy (with the module back-ldap) to a eDirectory LD= AP<br> > server.<br> > Every once and a while I have long lasting connections re-binding as<b= r> > anonymous,<br> > breaking the actual bind.<br> > This usualy happen after hitting either the idle-timeout or the conn-t= tl<br> > limit.<br> > I wasn't able to find out what these values are when not set... bu= t<br> > setting them<br> > low can help reproduce the problem :<br> <br> What is the configuration of back-ldap? =A0Can you post it (after sanitizin= g<br> sensitive info)?<br> <span class=3D"HOEnZb"><font color=3D"#888888"><br> p.<br> <br> --<br> Pierangelo Masarati<br> Associate Professor<br> Dipartimento di Ingegneria Aerospaziale<br> Politecnico di Milano<br> <br> </font></span></blockquote></div><br></div>
--20cf307811d0d379c404d032d6ee--
-- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
--20cf307d04d2686d3904d0343c02 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Here is a quick python script that can be used to query a LDAP proxy. Runni= ng it while the proxy is configured with conn-ttl =3D 5 will trigget the er= ror after 5 seconds:<div><br></div><div><br></div><div><br></div><div><div = style=3D"font-family:Tahoma;font-size:13px"> import ldap, sys, pprint, time</div><div style=3D"font-family:Tahoma;font-s= ize:13px">=A0</div><div style=3D"font-family:Tahoma;font-size:13px">ldap_se= rver =3D "localhost"<br>dn=3D"cn=3Dldapintbind,o=3Dcorp"= ;<br>pw=3D"your password here"</div> <div style=3D"font-family:Tahoma;font-size:13px">=A0</div><div style=3D"fon= t-family:Tahoma;font-size:13px">con =3D ldap.initialize('ldap://' += ldap_server)<br>try:<br>=A0=A0=A0 #l.start_tls_s()<br>=A0=A0=A0 con.simple= _bind_s(dn, pw)<br> =A0=A0=A0 con.set_option(ldap.OPT_DEREF,3)<br>=A0 =A0=A0</div><div style=3D= "font-family:Tahoma;font-size:13px">=A0=A0=A0 scope =3D ldap.SCOPE_SUBTREE<= br>=A0=A0=A0 base =3D "o=3Dcorp"<br>=A0=A0=A0 filter =3D"(&a= mp;(objectClass=3D*)(uid=3Ddln))"<br> =A0=A0=A0 retrieve_attributes =3D ["uid"]<br>=A0=A0=A0 result_dat= a =3D []<br>=A0=A0=A0 result_set =3D []<br>=A0=A0=A0 timeout =3D 0</div><di= v style=3D"font-family:Tahoma;font-size:13px">=A0</div><div style=3D"font-f= amily:Tahoma;font-size:13px">=A0=A0=A0 essai=3D0<br> =A0=A0=A0 while 1:<br>=A0=A0=A0=A0=A0=A0=A0 print(str(essai) + "."= ;)<br>=A0=A0=A0=A0=A0=A0=A0 essai+=3D1</div><div style=3D"font-family:Tahom= a;font-size:13px">=A0</div><div style=3D"font-family:Tahoma;font-size:13px"=
=A0=A0=A0=A0=A0=A0=A0 result_id =3D con.search_s(base, scope, filter, retr=
ieve_attributes)<br> =A0=A0=A0=A0=A0=A0=A0 #pprint.pprint(result_id)</div><div style=3D"font-fam= ily:Tahoma;font-size:13px">=A0</div><div style=3D"font-family:Tahoma;font-s= ize:13px">=A0 =A0 =A0 =A0 time.sleep(1)<br></div><div style=3D"font-family:= Tahoma;font-size:13px">=A0</div> <div style=3D"font-family:Tahoma;font-size:13px"><br>except ldap.LDAPError,= e:<br>=A0=A0=A0 print e.message['info']<br>=A0=A0=A0 if type(e.mes= sage) =3D=3D dict and e.message.has_key('desc'):<br>=A0=A0=A0=A0=A0= =A0=A0 print e.message['desc']<br> =A0=A0=A0 else:<br>=A0=A0=A0=A0=A0=A0=A0 print e<br>=A0=A0=A0 sys.exit()</d= iv></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2012= /12/6 Sebastien Thomas <span dir=3D"ltr"><<a href=3D"mailto:prune@lecent= re.net" target=3D"_blank">prune@lecentre.net</a>></span><br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"><span style=3D"font-family:arial,sans-serif;= font-size:13px">Actualy I had this before and that did not change anything.= I don't think this directive is used for this kind of "timeouts&q= uot;...</span><br> <div><span style=3D"font-family:arial,sans-serif;font-size:13px"><br> </span></div><div><span style=3D"font-family:arial,sans-serif;font-size:13p= x">I also tried :</span></div><div><span style=3D"font-family:arial,sans-se= rif;font-size:13px"><br></span></div><div><b style=3D"font-size:13px;font-f= amily:arial,sans-serif">chase-referrals yes (this is default)</b><span styl= e=3D"font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div><b style=3D"font-size:13px;font-family:arial,sans-serif">= rebind-as-user yes (as suggested here)</b><b style=3D"font-size:13px;font-f= amily:arial,sans-serif"><br></b></div><div> <b style=3D"font-size:13px;font-family:arial,sans-serif">single-conn yes (d= efault to NO)</b><b style=3D"font-size:13px;font-family:arial,sans-serif"><= br></b></div><div><b style=3D"font-size:13px;font-family:arial,sans-serif">= <br>
</b></div><div><span style=3D"font-size:13px;font-family:arial,sans-serif">= I also tried some combinings of=A0</span><span style=3D"font-size:13px;font= -family:arial,sans-serif">idassert-bind options with no luck (as the backen= d does not support identity assertion).</span></div> <div class=3D"HOEnZb"><div class=3D"h5"> <div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2012/12/6 Pie= rangelo Masarati <span dir=3D"ltr"><<a href=3D"mailto:masarati@aero.poli= mi.it" target=3D"_blank">masarati@aero.polimi.it</a>></span><br><blockqu= ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc s= olid;padding-left:1ex">
<br> > --20cf307811d0d379c404d032d6ee<br> > Content-Type: text/plain; charset=3DISO-8859-1<br> <div>><br> > Config is basic (with special timeout tests commented out) :<br> ><br> > database =A0 =A0 =A0ldap<br> > suffix =A0 =A0 =A0 =A0 =A0 =A0"o=3Dcorp"<br> > uri =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ldaps://<a href=3D"http://10.100.1= 20.153" target=3D"_blank">10.100.120.153</a><br> ><br> > # close connection after a timeout<br> > #idletimeout =A0 =A0 100<br> > # causes a cached connection to be dropped an recreated after a given = ttl<br> > #conn-ttl =A0 =A0 =A0 =A04294967294<br> > # close connection after a timeout for ldap backend<br> > #idle-timeout =A0 =A04294967294<br> > # Discards current cached connection when the client rebinds - default= to<br> > No<br> > #single-conn =A0 =A0 no<br> <br> <br> </div>Try adding a "rebind-as-user" here. =A0This forces back-lda= p to store<br> client's credentials in order to rebind when needed (e.g. because a<br> persistent connection timed out).<br> <br> p.<br> <div><div><br> > overlay =A0 =A0 =A0 =A0 rwm<br> > rwm-suffixmassage "o=3Dcorp" "o=3Dint"<br> ><br> ><br> > 2012/12/6 Pierangelo Masarati <<a href=3D"mailto:masarati@aero.poli= mi.it" target=3D"_blank">masarati@aero.polimi.it</a>><br> ><br> >><br> >> > Full_Name: Sebastien Prune THOMAS<br> >> > Version: slapd 2.4.31<br> >> > OS: Linux CentOS<br> >> > URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_= blank">ftp://ftp.openldap.org/incoming/</a><br> >> > Submission from: (NULL) (206.167.157.64)<br> >> ><br> >> ><br> >> > I use OpenLdap to proxy (with the module back-ldap) to a eDir= ectory<br> >> LDAP<br> >> > server.<br> >> > Every once and a while I have long lasting connections re-bin= ding as<br> >> > anonymous,<br> >> > breaking the actual bind.<br> >> > This usualy happen after hitting either the idle-timeout or t= he<br> >> conn-ttl<br> >> > limit.<br> >> > I wasn't able to find out what these values are when not = set... but<br> >> > setting them<br> >> > low can help reproduce the problem :<br> >><br> >> What is the configuration of back-ldap? =A0Can you post it (after<= br> >> sanitizing<br> >> sensitive info)?<br> >><br> >> p.<br> >><br> >> --<br> >> Pierangelo Masarati<br> >> Associate Professor<br> >> Dipartimento di Ingegneria Aerospaziale<br> >> Politecnico di Milano<br> >><br> >><br> ><br> </div></div>> --20cf307811d0d379c404d032d6ee<br> > Content-Type: text/html; charset=3DISO-8859-1<br> > Content-Transfer-Encoding: quoted-printable<br> ><br> > <div style=3D3D"font-family:Tahoma;font-size:13px">Con= fig is basic (with<br> > spec=3D<br> > ial timeout tests commented out) :</div><div<br> > style=3D3D"font-family:Tahoma;fo=3D<br> > nt-size:13px">=3DA0</div><div<br> > style=3D3D"font-family:Tahoma;font-size:13px">dat=3D<br> > abase =3DA0 =3DA0 =3DA0ldap<br><br> > suffix =3DA0 =3DA0 =3DA0 =3DA0 =3DA0<br> > =3DA0&quot;o=3D3Dcorp&quot;<br>uri=3DA0=3DA0=3DA0=3DA0= =3DA0=3DA0=3D<br> > =3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0 =3DA0 =3DA0<a>ldaps://<a hre= f=3D"http://10.100.120.153" target=3D"_blank">10.100.120.153</a></a>&= lt;/div><div<br> > style=3D<br> > =3D3D"font-family:Tahoma;font-size:13px">=3DA0</div>= ;<div<br> > style=3D3D"font-family:T=3D<br> > ahoma;font-size:13px"># close connection after a timeout<br= ><br> > #idletimeout=3DA0=3DA0=3DA0=3DA0 100<br># causes a cached connec= tion to be dropped<br> > =3D<br> > an recreated after a given ttl<br>#conn-ttl=3DA0=3DA0=3DA0=3DA0= =3DA0=3DA0=3DA0<br> > 4294967294=3D<br> > <br># close connection after a timeout for ldap<br> > backend<br>#idle-timeout=3DA0=3D<br> > =3DA0=3DA0 4294967294<br># Discards current cached connection wh= en the client<br> > r=3D<br> > ebinds - default to No<br><br> > #single-conn=3DA0=3DA0=3DA0=3DA0 no</div><div<br> > style=3D3D"font-family:Tahoma;font-size=3D<br> > :13px"><br>overlay=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3DA0=3D= A0 rwm<br>rwm-suffixmassage<br> > &quot;o=3D<br> > =3D3Dcorp&quot; &quot;o=3D3Dint&quot;</div><div<b= r> > class=3D3D"gmail_extra"><br><br><=3D<br> > div class=3D3D"gmail_quote">2012/12/6 Pierangelo Masarati= <span<br> > dir=3D3D"ltr">&=3D<br> > lt;<a href=3D3D"mailto:<a href=3D"mailto:masarati@aero.polimi.= it" target=3D"_blank">masarati@aero.polimi.it</a>"<br> > target=3D3D"_blank">masarati@ae=3D<br> > <a href=3D"http://ro.polimi.it" target=3D"_blank">ro.polimi.it</a><= /a>&gt;</span><br><br> > <blockquote class=3D3D"gmail_quote" style=3D3D"margi= n:0 0 0<br> > .8ex;border-left:1p=3D<br> > x #ccc solid;padding-left:1ex"><br><br> > &gt; Full_Name: Sebastien Prune THOMAS<br><br> > &gt; Version: slapd 2.4.31<br><br> > &gt; OS: Linux CentOS<br><br> > &gt; URL: <a href=3D3D"<a href=3D"ftp://ftp.openldap.org/i= ncoming/" target=3D"_blank">ftp://ftp.openldap.org/incoming/</a>"<br> > target=3D3D"_blank">ft=3D<br> > p://<a href=3D"http://ftp.openldap.org/incoming/" target=3D"_blank">ft= p.openldap.org/incoming/</a></a><br><br> > &gt; Submission from: (NULL) (206.167.157.64)<br><br> > &gt;<br><br> > &gt;<br><br> > &gt; I use OpenLdap to proxy (with the module back-ldap) to a eDir= ectory<br> > LD=3D<br> > AP<br><br> > &gt; server.<br><br> > &gt; Every once and a while I have long lasting connections re-bin= ding<br> > as<b=3D<br> > r><br> > &gt; anonymous,<br><br> > &gt; breaking the actual bind.<br><br> > &gt; This usualy happen after hitting either the idle-timeout or t= he<br> > conn-t=3D<br> > tl<br><br> > &gt; limit.<br><br> > &gt; I wasn&#39;t able to find out what these values are when = not set...<br> > bu=3D<br> > t<br><br> > &gt; setting them<br><br> > &gt; low can help reproduce the problem :<br><br> > <br><br> > What is the configuration of back-ldap? =3DA0Can you post it (after<br=
> sanitizin=3D<br> > g<br><br> > sensitive info)?<br><br> > <span class=3D3D"HOEnZb"><font color=3D3D"#888= 888"><br><br> > p.<br><br> > <br><br> > --<br><br> > Pierangelo Masarati<br><br> > Associate Professor<br><br> > Dipartimento di Ingegneria Aerospaziale<br><br> > Politecnico di Milano<br><br> > <br><br> > </font></span></blockquote></div><br><= ;/div><br> ><br> > --20cf307811d0d379c404d032d6ee--<br> <div><div>><br> ><br> ><br> ><br> ><br> <br> <br> --<br> Pierangelo Masarati<br> Associate Professor<br> Dipartimento di Ingegneria Aerospaziale<br> Politecnico di Milano<br> <br> </div></div></blockquote></div><br></div> </div></div></blockquote></div><br></div>
--20cf307d04d2686d3904d0343c02--
-
prune@lecentre.net