Howard Chu wrote:
In any heavily loaded environment you'll find that connection establishment becomes serious overhead in itself. Thus it's better to aim for longer lived connections that get reused as much as possible.
Surely, in an environment where there is high number of clients per proxy and only few proxies connected to a central server.
I would still like to ask your opinion on the first case, where remote server disconnects, but proxy does not disconnect clients. I would assume this should not be common, but instead present an exceptional case? (server timeouting too long sessions, connectivity issue, server crash...)
Proxy tries its best to create an illusion for clients that the connection to remote server is still up while it is not. When it is re-established, the proxy replays bind on behalf of the client. This obviously must happen with the same credentials as the initial bind from client, in order to present same kind of session with the same client privileges. Option rebind-as-user=true addresses this, but it does not work due to https://bugs.openldap.org/show_bug.cgi?id=9468. I assume this should then be fixed by storing client credentials somewhere else than the structure representing the (lost) remote connection?
I'm puzzled about what should happen in the same scenario but rebind-as-user=false? From security perspective, it can be a plus that proxy does not keep client credentials in memory for extended period. But on the other hand, if the replayed bind then would change into anonymous bind, wouldn't the client likely fail in strange ways as it suddenly became unprivileged to execute operations?
-- Tero