(RADIATOR) Patch for LDAP_OPERATIONS_ERROR with half-closed TCP

Ernst Oudhof e.oudhof at mailfrom.nl
Thu May 29 08:03:35 CDT 2008


Hi,

I've got a suggestion for this patch which is now in Radiator.
The patch uses the process method from Net::LDAP. This method only
exists in perl-ldap >= 0.35. 

In perl-ldap 0.34 and earlier it is called _recvresp. This method is
still included as an 'alias' in 0.35 and later (from ldap.pm:
"*_recvresp = \&process; # compat" ).

So I would suggest using _recvresp instead so radiator won't crash on a
disconnect from the ldap server when using perl-ldap < 0.35.

patch is attached.

regards,

Ernst




On Thu, 2008-04-17 at 18:12 +0000, Bjoern A. Zeeb wrote:
> Hi,
> 
> if running Radiator with LDAP backends and HoldServerConnection and
> those sessions are idle for too long or longer than an Idle Timeout
> on the LDAP server it might happen that the LDAP server closes the
> connection.
> What you end up with is a half-closed TCP connection but perl-ldap
> hasn't yet read the EOF with asn_read/Convert::ASN1, nor would it
> really recognize this condition as a close.
> Other scenarios how you can get into te half-closed/closed is with
> firewalls in between that expire states and one way or the other start
> telling your socket that TCP is being finished.
> 
> What happens with Radaitor in this case:
> 
> You have an supposedly alive LDAP connection.  findUser() does the
> reconnect tests, getpeername() still returns soemthing valid (at least
> on OSes with sane stacks;) thus reconnect returns and a search() is
> started.
> Now perl-ldap tries to send data, the LDAP server sends back a RST
> perl-ldap tries to read the answer which doesn't make sense and
> returns an LDAP_OPERATIONS_ERROR which you will find in your logs.
> Radiator will think the LDAP Server is down and go into backoff mode.
> Now if you have multiple servers and this happens with all of them
> you are lost.
> 
> Actually the LDAP server would answer queries fine with a new
> connection.
> 
> So what the attached patch does is:
> if running in HoldServerConnection and we have a supposedly valid LDAP
> socket, check if there is any data to read which should not be the
> case in sync mode unless there is an unsolicited notification 'Notice
> of Disconnection' (or an EOF pending).
> If there is anything let perl-ldap process the data.
> In case this returns with an LDAP_OPERATIONS_ERROR (the one serach
> would have ginven us) check EVAL_ERROR which Convert::ASN1 sets in
> case of an read error. If that says 'Unexpected EOF' close the TCP
> sessions from our side as well.
> Log the case that there was a 'Server side disconnect'.
> In case of an 'Notice of Disconnection' perl-ldap will have clsoed the
> connection already.
> 
> In both cases the LDAP descriptor will no longer be valid and we will
> do a reconnect and a following search() would succeed and not mark the
> server down.
> 
> 
> Regards,
> Bjoern
> 
> -- 
> Dipl. Ing. (BA) Bjoern A. Zeeb          Research & Development
> CK Software GmbH                        http://www.cksoft.de/
> Schwarzwaldstr. 31                      Phone: +49 7452 889 135
> D-71131 Jettingen                       Fax: +49 7452 889 136
> HRB245288, Amtsgericht Stuttgart        Geschaeftsfuehrer: Christian Kratzer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: older-perl-ldap.patch
Type: text/x-patch
Size: 470 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080529/b7e07eb9/attachment.bin>


More information about the radiator mailing list