[Freeipa-devel] SASL whoami
Rob Crittenden
rcritten at redhat.com
Fri Oct 12 02:24:12 UTC 2007
Pete Rowley wrote:
> Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Thu, 2007-10-11 at 17:10 -0400, Rob Crittenden wrote:
>>>> The connection pool has a fairly big problem with it. When a
>>>> connection goes away, it doesn't currently see that and returns a
>>>> failure rather than reconnecting. These connections can go away if
>>>> FDS restarts, for example. Or the connection times out or we're hit
>>>> by gamma rays, who knows.
>>>>
>>>> Trying to figure out where this failure is occurring and retrying
>>>> the operation will be fairly difficult (for every LDAP operation
>>>> basically).
>>>>
>>>> Instead what I've tried to do is run a quick operation on the
>>>> connection when I pull it out of the pool. If it is bad I can easily
>>>> make a new one.
>>>>
>>>> I wanted an LDAP operation that wasn't going to stress the server at
>>>> all. There is an extended operation whoami so you can find out who
>>>> is authenticated on this connection.
>>>>
>>>> Using this I can see whether the connection is alive or not and it
>>>> actually works fairly well.
>>>>
>>>> The problem is that FDS doesn't implement it, so an error is logged.
>>>> It isn't a big deal in my mind and in fact the operation is probably
>>>> quite swift ("Do I have this extop? Nope, return.").
>>>>
>>>> So, we have several options:
>>>>
>>>> 1. Go with my current uncommitted patch and use an unimplemented
>>>> extop to test the connection.
>>>> 2. Go with the current uncommitted patch AND write a quickie plugin
>>>> that does whoami.
>>>> 3. Try something else altogether, such as catching ldap.SERVER_DOWN
>>>> everywhere and trying again.
>>>
>>> 3. FDS can restart just after your operation has happened and you are
>>> still in trouble, only you are going to add tons of unnecessary
>>> operations and still not able to retry the right one.
>>>
>>> Simo.
>>>
>>
>> I'm trying to handle the most common cases. The current code will not
>> work. We can alternatively rebind with every request, that will also
>> detect the loss of connectivity. That just seems like overkill.
>>
>> I'm happy with a best-effort. If FDS is restarting in the middle of
>> things a few client errors are probably the least of our troubles.
> How about a keep alive thread that adds fresh activity on each
> connection every minute or so and fixes up dead connections. Then we
> can keep this business out of the main loop.
>
Well, it may not be a good idea to keep around authenticated connections
as it is.
All the problems go away if I unbind() once the work is done and re-bind
later. We still save the connection cost. Shall I go ahead and do that
instead?
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071011/a0998e26/attachment.bin>
More information about the Freeipa-devel
mailing list