Full_Name: Emily Backes
Submission from: (NULL) (188.8.131.52)
Currently, back-ldap stores credentials in the outbound connection
structure. When that disappears, e.g. from idle-timeout, conn-ttl,
network lossage, AD trouble, etc., the connection becomes unbound and
AD returns err=1 (Operations error), which isn't enougfofor back-ldap
to treat it as LDAP_UNAVAILABLE.
Howard reports this is working-as-designed, even if the design is bad.
Several ITS filings are still open about this problem; 5110, 6571, and
7464 are all related.
At a minimum, we should drop the client connection if we can't keep
the session stable.
This is not as simple as it sounds. In particular, back-ldap may be part of a
larger glued tree of backends. A failure to search in the back-ldap context
should not prevent the rest of the glued tree from being searched, and it
should not drop the client connection.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/