[Freeipa-devel] SASL whoami

Fri Oct 12 14:10:52 UTC 2007

Simo Sorce wrote:
> On Thu, 2007-10-11 at 22:24 -0400, Rob Crittenden wrote:
>> Pete Rowley wrote:
>>> Rob Crittenden wrote:
>>>> Simo Sorce wrote:
>>>>> On Thu, 2007-10-11 at 17:10 -0400, Rob Crittenden wrote:
>>>>>> The connection pool has a fairly big problem with it. When a 
>>>>>> connection goes away, it doesn't currently see that and returns a 
>>>>>> failure rather than reconnecting. These connections can go away if 
>>>>>> FDS restarts, for example. Or the connection times out or we're hit 
>>>>>> by gamma rays, who knows.
>>>>>>
>>>>>> Trying to figure out where this failure is occurring and retrying 
>>>>>> the operation will be fairly difficult (for every LDAP operation 
>>>>>> basically).
>>>>>>
>>>>>> Instead what I've tried to do is run a quick operation on the 
>>>>>> connection when I pull it out of the pool. If it is bad I can easily 
>>>>>> make a new one.
>>>>>>
>>>>>> I wanted an LDAP operation that wasn't going to stress the server at 
>>>>>> all. There is an extended operation whoami so you can find out who 
>>>>>> is authenticated on this connection.
>>>>>>
>>>>>> Using this I can see whether the connection is alive or not and it 
>>>>>> actually works fairly well.
>>>>>>
>>>>>> The problem is that FDS doesn't implement it, so an error is logged. 
>>>>>> It isn't a big deal in my mind and in fact the operation is probably 
>>>>>> quite swift ("Do I have this extop? Nope, return.").
>>>>>>
>>>>>> So, we have several options:
>>>>>>
>>>>>> 1. Go with my current uncommitted patch and use an unimplemented 
>>>>>> extop to test the connection.
>>>>>> 2. Go with the current uncommitted patch AND write a quickie plugin 
>>>>>> that does whoami.
>>>>>> 3. Try something else altogether, such as catching ldap.SERVER_DOWN 
>>>>>> everywhere and trying again.
>>>>> 3. FDS can restart just after your operation has happened and you are
>>>>> still in trouble, only you are going to add tons of unnecessary
>>>>> operations and still not able to retry the right one.
>>>>>
>>>>> Simo.
>>>>>
>>>> I'm trying to handle the most common cases. The current code will not 
>>>> work. We can alternatively rebind with every request, that will also 
>>>> detect the loss of connectivity. That just seems like overkill.
>>>>
>>>> I'm happy with a best-effort. If FDS is restarting in the middle of 
>>>> things a few client errors are probably the least of our troubles.
>>> How about a keep alive thread that adds fresh activity on each 
>>> connection every minute or so and fixes up dead connections.  Then we 
>>> can keep this business out of the main loop.
>>>
>> Well, it may not be a good idea to keep around authenticated connections 
>> as it is.
>>
>> All the problems go away if I unbind() once the work is done and re-bind 
>> later. We still save the connection cost. Shall I go ahead and do that 
>> instead?
> 
> I think this is better that keepalive or whoami for now, I still think
> we should handle errors better, but I guess we can defer that work.

It appears that a SASL connection cannot be rebound. It fails with no 
error logged in FDS, it just closes the connection.

I've got a patch that binds and unbinds with each get/release 
connection. We can address caching in the future. At least this code 
isn't buggy.

I'll get a patch out later this morning.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071012/4f664491/attachment.bin>