(RADIATOR) Patch for LDAP_OPERATIONS_ERROR with half-closed TCP

Mike McCauley mikem at open.com.au
Thu Apr 17 16:49:01 CDT 2008 

Hello Bjoern,

thank you for your very good patch. It has been rolled into the mainline and 
is also in the latest patch set.

We really appreciate it when people send us patches like that.
Thanks again.

Cheers.

On Friday 18 April 2008 04:12, Bjoern A. Zeeb wrote:
> Hi,
>
> if running Radiator with LDAP backends and HoldServerConnection and
> those sessions are idle for too long or longer than an Idle Timeout
> on the LDAP server it might happen that the LDAP server closes the
> connection.
> What you end up with is a half-closed TCP connection but perl-ldap
> hasn't yet read the EOF with asn_read/Convert::ASN1, nor would it
> really recognize this condition as a close.
> Other scenarios how you can get into te half-closed/closed is with
> firewalls in between that expire states and one way or the other start
> telling your socket that TCP is being finished.
>
> What happens with Radaitor in this case:
>
> You have an supposedly alive LDAP connection.  findUser() does the
> reconnect tests, getpeername() still returns soemthing valid (at least
> on OSes with sane stacks;) thus reconnect returns and a search() is
> started.
> Now perl-ldap tries to send data, the LDAP server sends back a RST
> perl-ldap tries to read the answer which doesn't make sense and
> returns an LDAP_OPERATIONS_ERROR which you will find in your logs.
> Radiator will think the LDAP Server is down and go into backoff mode.
> Now if you have multiple servers and this happens with all of them
> you are lost.
>
> Actually the LDAP server would answer queries fine with a new
> connection.
>
> So what the attached patch does is:
> if running in HoldServerConnection and we have a supposedly valid LDAP
> socket, check if there is any data to read which should not be the
> case in sync mode unless there is an unsolicited notification 'Notice
> of Disconnection' (or an EOF pending).
> If there is anything let perl-ldap process the data.
> In case this returns with an LDAP_OPERATIONS_ERROR (the one serach
> would have ginven us) check EVAL_ERROR which Convert::ASN1 sets in
> case of an read error. If that says 'Unexpected EOF' close the TCP
> sessions from our side as well.
> Log the case that there was a 'Server side disconnect'.
> In case of an 'Notice of Disconnection' perl-ldap will have clsoed the
> connection already.
>
> In both cases the LDAP descriptor will no longer be valid and we will
> do a reconnect and a following search() would succeed and not mark the
> server down.
>
>
> Regards,
> Bjoern

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list