jorge.perez@adaptia.net wrote:

When we have two slapds with a established meta connection between them and the connection is reset, for example by a router, the next search query will always be send with never in dereferencing.

Steps to reproduce:

• Established a meta connection between 2 slapds
• Reset the connection, for example with cutter
• Send a search dereferencing with something different to never.
• See the results are no dereferenced.

Actually, I was reviewing this fix, and it seems that the code for alias dereferencing is inherently broken, essentially because the (C) API for alias dereferencing is broken. In fact, back-ldap and back-meta reuse and pool connections, so setting this parameter using ldap_set_option() will actually affect all (search) operations occurring simultaneously in an unprotected manner. I think this needs to be fixed.

The simplest (and my favorite) solution would be to have back-ldap and back-meta discontinue aliasing support.

Another option, which I do not consider particularly viable, is to separately pool connections with different alias dereferencing strategies

Finally (my second favorite option) is to add a new C API for ldap_search* operations that allows to explicitly set the alias dereferencing parameter. This API does not need to be public, since it is mostly useful inside the proxy backends.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------