[Freeipa-devel] SASL whoami
Simo Sorce
ssorce at redhat.com
Fri Oct 12 13:43:48 UTC 2007
On Thu, 2007-10-11 at 22:24 -0400, Rob Crittenden wrote:
> Pete Rowley wrote:
> > Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> On Thu, 2007-10-11 at 17:10 -0400, Rob Crittenden wrote:
> >>>> The connection pool has a fairly big problem with it. When a
> >>>> connection goes away, it doesn't currently see that and returns a
> >>>> failure rather than reconnecting. These connections can go away if
> >>>> FDS restarts, for example. Or the connection times out or we're hit
> >>>> by gamma rays, who knows.
> >>>>
> >>>> Trying to figure out where this failure is occurring and retrying
> >>>> the operation will be fairly difficult (for every LDAP operation
> >>>> basically).
> >>>>
> >>>> Instead what I've tried to do is run a quick operation on the
> >>>> connection when I pull it out of the pool. If it is bad I can easily
> >>>> make a new one.
> >>>>
> >>>> I wanted an LDAP operation that wasn't going to stress the server at
> >>>> all. There is an extended operation whoami so you can find out who
> >>>> is authenticated on this connection.
> >>>>
> >>>> Using this I can see whether the connection is alive or not and it
> >>>> actually works fairly well.
> >>>>
> >>>> The problem is that FDS doesn't implement it, so an error is logged.
> >>>> It isn't a big deal in my mind and in fact the operation is probably
> >>>> quite swift ("Do I have this extop? Nope, return.").
> >>>>
> >>>> So, we have several options:
> >>>>
> >>>> 1. Go with my current uncommitted patch and use an unimplemented
> >>>> extop to test the connection.
> >>>> 2. Go with the current uncommitted patch AND write a quickie plugin
> >>>> that does whoami.
> >>>> 3. Try something else altogether, such as catching ldap.SERVER_DOWN
> >>>> everywhere and trying again.
> >>>
> >>> 3. FDS can restart just after your operation has happened and you are
> >>> still in trouble, only you are going to add tons of unnecessary
> >>> operations and still not able to retry the right one.
> >>>
> >>> Simo.
> >>>
> >>
> >> I'm trying to handle the most common cases. The current code will not
> >> work. We can alternatively rebind with every request, that will also
> >> detect the loss of connectivity. That just seems like overkill.
> >>
> >> I'm happy with a best-effort. If FDS is restarting in the middle of
> >> things a few client errors are probably the least of our troubles.
> > How about a keep alive thread that adds fresh activity on each
> > connection every minute or so and fixes up dead connections. Then we
> > can keep this business out of the main loop.
> >
>
> Well, it may not be a good idea to keep around authenticated connections
> as it is.
>
> All the problems go away if I unbind() once the work is done and re-bind
> later. We still save the connection cost. Shall I go ahead and do that
> instead?
I think this is better that keepalive or whoami for now, I still think
we should handle errors better, but I guess we can defer that work.
sImo.
More information about the Freeipa-devel
mailing list