(ITS#5185) assertion failure in back-meta when the remote directory does not answer a bind request within the time allotted

[mhardin@symas.com]

Full_Name: Matthew Hardin
Version: 2.3.38
OS: RHEL4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (74.38.114.43)


Remote directory servers that do not answer a bind request within the timeout
period will cause an assertion failure in back-meta.

Analysis:
The meta_back_bind() function calls either meta_back_proxy_authz_bind() if the
bind is taking place with back_meta's rootdn or meta_back_single_bind() if it's
not. 

Once they make the appropriate bind function call, each of these functions calls
meta_back_bind_op_result() to process the result of the bind. Neither
meta_back_proxy_authz_bind() or meta_back_single_bind() set the
LDAP_BACK_CONN_BINDING state.

When meta_back_bind_op_result() calls ldap_result(), one of the possible return
codes is 0, and meta_back_bind_op_result() will repeat the ldap_result() call,
provided the timeout hasn't been exceeded or back-meta has been told not to
retry. 

If the wait time has been exceeded the code falls through to an
assert(LDAP_BACK_CONN_BINDING(msc)) statement. This assert is only valid when
meta_back_do_bind() has made the function call, and it will fail if either
meta_back_proxy_authz_bind() or meta_back_single_bind() made the function call.



Possible Fixes:
The correct fix would seem to be to remove the assert(), since in two out of
three cases the meta_back_bind_op_result() function is being called with the
LDAP_BACK_CONN_BINDING state not set.

It is also possible to set and clear the LDAP_BACK_CONN_BINDING state as
appropriate from the other two funcions that call it, but this seems incorrect,
as the LDAP_BACK_CONN_BINDING state is only manipulated in the
meta_back_single_dobind() direct bind function.