[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7008) paged results against ldap-proxy errors with 'cookie is invalid'

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7008) paged results against ldap-proxy errors with 'cookie is invalid'
From: hyc@symas.com
Date: Mon, 1 Aug 2011 21:47:20 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

whm@stanford.edu wrote:
> Full_Name: Bill MacAllister
> Version: 2.4.26
> OS: Debian 6
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (171.64.19.165)
>
>
> We typically setup local proxy servers to support applications that cannot
> support a GSSAPI bind to the directory server.  The proxy server allows
> anonymous access to the directory for connections from the localhost and
> connects to the master using GSSAPI.  We are experiencing a failures when
> we attempt to use the paged results control on the proxy.  For example:
>
> ldapsearch -E pr=1000/noprompt -x -b "cn=people,dc=stanford,dc=edu" -h localhost
>   "(&(objectClass=suPerson)(suVisibIdentity=world))" ou telephonenumber title
>
> ends with the error:
>
> # search result
> search: 5
> result: 0 Success
> control: 1.2.840.113556.1.4.319 false MA0CAQAECCiDAAAAAAAA
> pagedresults: cookie=KIMAAAAAAAA=
> # extended LDIF
> #
> # LDAPv3
> # base<cn=people,dc=stanford,dc=edu>  with scope subtree
> # filter: (&(objectClass=suPerson)(suVisibIdentity=world))
> # requesting: ou telephonenumber title
> # with pagedResults control: size=1000
> #
>
> # search result
> search: 6
> result: 2 Protocol error
> text: paged results cookie is invalid
>
> # numResponses: 4005
> # numEntries: 4000
>
> This result is not consistent.  We have seen examples where 2000 and 3000
> entries being returned and then the error.  Another test that we performed with
> a slightly more complex filter, i.e.
>
>    "(&(objectClass=suPerson)(|(suVisibIdentity=world)(suVisibIdentity=world)))"
>
> returned usually returned 1000 entries before erroring.
>
> Issuing a similar search directly against the backend ldap server completes
> without
> error.
>
> We have seen the same behavior on OpenLDAP 2.4.23 as well.
>
> Logs generated running slapd standalone with '-d stats,packets' are available at
> http://www.stanford.edu/~whm/files/ldap-debugging/.

Your log shows that the subsequent search request initiates a new Bind to the 
remote server, which implies that it's not re-using the same connection as the 
first request. Since a paged results cookie is only valid within the context 
of a single connection, you get this error result.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#7008) paged results against ldap-proxy errors with 'cookie is invalid'
Next by Date: Re: (ITS#7008) paged results against ldap-proxy errors with 'cookie is invalid'
Index(es):
- Chronological
- Thread