Hi Eugene,
I decided to start a new thread to discuss so that we can close the
previous parenthesis and concentrate on the problem at hand.
On Mon, 19 Apr 2010 15:19:22 +0400
Eugene Indenbom <eindenbom(a)gmail.com> wrote:
> So now we are ready to continue with fixing failover reconnect and
> GSSAPI authentication in LDAP and IPA providers. From my point of
> view at least the following problems needs to be addressed by final
> solution:
>
> 1. When two (or more) BE requests are executed in parallel and there
> is no cached connection, only one LDAP connection should be
> established. In current implementation 2 connections will be
> established and the first one killed failing the operation that
> connected first.
ACK (within the boundaries of the ID provider)
> 2. When OFFLINE state is detected during request execution (there
> were cached connection, but all failover servers failed to connect
> during request execution), the backend must return DP_ERR_OFFLINE. It
> currently returns DP_ERR_FATAL with EIO error. Next request completes
> with DP_ERR_OFFLINE. So there is a big inconsistency in behaviour.
I think this makes sense.
> 3. It is essential to close LDAP connection before GSSAPI ticket is
> expired as closing connection with already expired ticket still
> writes a message in message log.
Premise:
I have started a discussion upstream wrt killing GSSAPI connection when
credentials expire. Heimdal doesn't do that. MIT does, but things may
change.
Until the issue is resolved upstream I think it makes sense to avoid
bad messages in the logs, but only as long as avoid them doesn't
require complex and convoluted code.
> 4. The about-to-expire connection should be closed gracefully: all
> requests already in progress and using the connection should be
> completed, new requests should establish and use new connection.
Hopefully we can avoid "expiring" connections (see premise above), but
I think we need to be even more aggressive, and close connections when
they go idle. This way we can free server resources and in most cases
we will close much before we even get close to expiration time.
> 5. ipa_access backend should also use failover retries.
ACK
> 6. I think it is essential to reduce amount of copy-paste code
> handling LDAP connect/reconnect code. My strong opinion is that a
> special mechanism for handling LDAP connect/retry logic is required.
If we need it then we need it at a deep level, down close to the
openldap library boundary, so that we do not have to restart functions
at a higher level. As close as possible to the wire.
Simo.
--
Simo Sorce * Red Hat, Inc * New York