Re: (ITS#4387) slapd-ldap backend leaks descriptors on closed connections on x86_64

[hyc@symas.com]

aleksander.adamowski@gmail.com wrote:
>> Let me
>> point out that in my opinion reusing a bound connection to rebind with a
>> different identity sounds like a poor client design.
>>     
>
> In my opinion it's a very good design in the given case - the role ot
> Courier's authdaemon (among other roles, e.g. account lookup) is to
> check validity of user credentials.
>
> It does multiple credential checks on a single LDAP connection to
> conserve resources - to test a password, it doesn't need to open a new
> LDAP connection every time and then close it .
>
> This is a good design from the performance perspective, and I'd
> speculate that LDAP protocol permits multiple bind operations per
> connection because its designers have foreseen this usage scenario
> (LDAP was designed as a network authentication protocol, among other
> uses).

Actually not, but it has been used as such simply because it accomodates 
such a rich set of authentication mechanisms.

There's a simple tradeoff here - if you use a single connection for all 
Binds, you must fully serialize the procedure, because the receipt of 
any Bind request automatically aborts any other outstanding requests on 
the connection. If you use multiple connections, you can have multiple 
authentication attempts in progress at once. For back-ldap, we felt it 
was more important to support high concurrency.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/