Skip to content

ITS#9468 back-ldap: Return unavailable error if rebind cannot be done

Tero Saarni requested to merge tsaarni/openldap:its9468 into master

The goal of this change is to cover a scenario where proxy has established a private (not shared) connection to remote server and relayed a bind request from the client to the remote server, then

  1. remote server disconnects from proxy (or firewall in between causes connection to be dropped)
  2. proxy disconnects from remote server (due to connection timeout)

and at the same time the client still remains connected to the proxy. When client executes the next operation after (1) or (2) has happened, following behavior is changed by this merge request:

Before change: back-ldap will create new connection to remote server and generate anonymous bind request if it does not have client credentials stored from previous bind request anymore.

After change: back-ldap will notice if it does not have client credentials stored and sends "unavailable" error to client, without trying to re-establish connection to the remote server.

This issue was shortly discussed on openldap-devel

Edited by Quanah Gibson-Mount

Merge request reports