Tero Saarni wrote:
Howard Chu wrote:
In any heavily loaded environment you'll find that connection establishment becomes serious overhead in itself. Thus it's better to aim for longer lived connections that get reused as much as possible.
Surely, in an environment where there is high number of clients per proxy and only few proxies connected to a central server.
I would still like to ask your opinion on the first case, where remote server disconnects, but proxy does not disconnect clients. I would assume this should not be common, but instead present an exceptional case? (server timeouting too long sessions, connectivity issue, server crash...)
Yes, it's assumed that these are rare cases.
Proxy tries its best to create an illusion for clients that the connection to remote server is still up while it is not.
When it is re-established, the proxy replays bind on behalf of the client. This obviously must happen with the same credentials as the initial bind from client, in order to present same kind of session with the same client privileges. Option rebind-as-user=true addresses this, but it does not work due to https://bugs.openldap.org/show_bug.cgi?id=9468. I assume this should then be fixed by storing client credentials somewhere else than the structure representing the (lost) remote connection?
I'm puzzled about what should happen in the same scenario but rebind-as-user=false?
The rebind-as-user option was originally only used when chasing referrals. With the current code, your choices are to use proxyAuthz to assert a user identity on reconnect, or simply fail instead of reconnecting. Personally I'd lean towards the latter. For shared connections retrying is still appropriate, because we only share connections for special cases, like rootdn usage where we already know we can establish the correct credentials.
As for storing the credentials elsewhere - that becomes moot if you choose to just fail the connection. Otherwise, I'd just pull the creds out of the lost connection before freeing it, to save in the newly created connection.
From security perspective, it can be a plus that proxy does not keep client credentials in memory for extended period. But on the other hand, if the replayed bind then would change into anonymous bind, wouldn't the client likely fail in strange ways as it suddenly became unprivileged to execute operations?
-- Tero