Tero Saarni wrote:
Howard Chu wrote:
> In any heavily loaded environment you'll find that connection establishment
> becomes serious overhead in itself. Thus it's better to aim for longer lived
> connections that get reused as much as possible.
Surely, in an environment where there is high number of clients per proxy and only few
proxies connected to a central server.
I would still like to ask your opinion on the first case, where remote server
disconnects, but proxy does not disconnect clients. I would assume this should not be
common, but instead present an exceptional case? (server timeouting too long sessions,
connectivity issue, server crash...)
Yes, it's assumed that these are rare cases.
Proxy tries its best to create an illusion for clients that the
connection to remote server is still up while it is not.
When it is re-established, the proxy replays bind on behalf of the
client. This obviously must happen with the same credentials as the initial bind from
client, in order to present same kind of session with the same client privileges. Option
rebind-as-user=true addresses this, but it does not work due to
https://bugs.openldap.org/show_bug.cgi?id=9468. I assume this should then be fixed by
storing client credentials somewhere else than the structure representing the (lost)
remote connection?
I'm puzzled about what should happen in the same scenario but rebind-as-user=false?
The rebind-as-user option was originally only used when chasing referrals. With
the current code, your choices are to use proxyAuthz to assert a user identity
on reconnect, or simply fail instead of reconnecting. Personally I'd lean towards
the latter. For shared connections retrying is still appropriate, because we only
share connections for special cases, like rootdn usage where we already know we
can establish the correct credentials.
As for storing the credentials elsewhere - that becomes moot if you choose to just
fail the connection. Otherwise, I'd just pull the creds out of the lost connection
before freeing it, to save in the newly created connection.
From security perspective, it can be a plus that proxy does not keep
client credentials in memory for extended period. But on the other hand, if the replayed
bind then would change into anonymous bind, wouldn't the client likely fail in strange
ways as it suddenly became unprivileged to execute operations?
--
Tero
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/