Full_Name: Matthew Hardin Version: 2.3.38 OS: RHEL4 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.38.114.43)

Remote directory servers that do not answer a bind request within the timeout period will cause an assertion failure in back-meta.

Analysis: The meta_back_bind() function calls either meta_back_proxy_authz_bind() if the bind is taking place with back_meta's rootdn or meta_back_single_bind() if it's not.

Once they make the appropriate bind function call, each of these functions calls meta_back_bind_op_result() to process the result of the bind. Neither meta_back_proxy_authz_bind() or meta_back_single_bind() set the LDAP_BACK_CONN_BINDING state.

When meta_back_bind_op_result() calls ldap_result(), one of the possible return codes is 0, and meta_back_bind_op_result() will repeat the ldap_result() call, provided the timeout hasn't been exceeded or back-meta has been told not to retry.

If the wait time has been exceeded the code falls through to an assert(LDAP_BACK_CONN_BINDING(msc)) statement. This assert is only valid when meta_back_do_bind() has made the function call, and it will fail if either meta_back_proxy_authz_bind() or meta_back_single_bind() made the function call.

Possible Fixes: The correct fix would seem to be to remove the assert(), since in two out of three cases the meta_back_bind_op_result() function is being called with the LDAP_BACK_CONN_BINDING state not set.

It is also possible to set and clear the LDAP_BACK_CONN_BINDING state as appropriate from the other two funcions that call it, but this seems incorrect, as the LDAP_BACK_CONN_BINDING state is only manipulated in the meta_back_single_dobind() direct bind function.