[Date Prev][Date Next] [Chronological] [Thread] [Top]
(ITS#9018) dynlist don't close connection

To: openldap-its@OpenLDAP.org
Subject: (ITS#9018) dynlist don't close connection
From: i.harbuz@velcom.by
Date: Thu, 02 May 2019 10:40:21 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Ihar Harbuz
Version: 2.4.44
OS: RHEL 7.6
URL: http://ftp.openldap.org/incoming/
Submission from: (NULL) (128.140.241.193)


Good day.
I have next configuration:
#########################################################################
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/nis.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib64/openldap
moduleload      back_ldap.la
moduleload      back_meta.la
moduleload      dynlist.la
moduleload      memberof.la
moduleload      deref.la

overlay         dynlist
dynlist-attrset posixGroup labeledURI

database        meta
suffix          "dc=main,dc=company,dc=by"
uri             "ldap://dc1-cont.main.company.by/dc=main,dc=company,dc=by";
"ldap://dc2-cont.main.company.by/";
idassert-bind   bindmethod=simple
binddn="CN=ldapproxy,OU=ServiceAccounts,DC=MAIN,DC=company,DC=BY"
credentials="XXXXXXXXXXXXXXX" mode=none
idassert-authzFrom      *
rebind-as-user  yes
subordinate

rewriteEngine   on
rewriteContext  searchFilter
rewriteRule     "RecursiveMemberOf=(.*),dc=by"
"memberOf:1.2.840.113556.1.4.1941:=%1,dc=by" ":"

database        meta
suffix          "dc=external,dc=company,dc=by"
uri             "ldap://edc1-cont.main.company.by/dc=external,dc=company,dc=by";
"ldap://edc2-cont.main.company.by/";
idassert-bind   bindmethod=simple
binddn="CN=ldapproxy,DC=external,DC=company,DC=by"
credentials="XXXXXXXXXXXXXXXXXXXX" mode=none
idassert-authzFrom      *
rebind-as-user  yes
subordinate

rewriteEngine   on
rewriteContext  searchFilter
rewriteRule     "RecursiveMemberOf=(.*),dc=by"
"memberOf:1.2.840.113556.1.4.1941:=%1,dc=by" ":"

database        hdb
suffix          "dc=company,dc=by"
directory       /var/lib/ldap
rootdn          cn=ldapadm,dc=company,dc=by
rootpw          "XXXXXXXXXX"
index           objectClass eq,pres
index           ou,cn,mail,surname,givenname eq,pres,sub

database        monitor
#####################################################################################

Any ldapsearch commands work fine if request doesn't hit into dynlist.
If request hit in dynlist then it output information and hanged up.

slapd -d -1 write:

ber_flush2: 1441 bytes to sd 15
  0000:  30 82 05 9d 02 01 02 64  82 05 96 04 4c 63 6e 3d   0......d....Lcn=  
  0010:  53 47 5f 4f 53 5f 53 4f  4c 41 52 49 53 2c 6f 75   SG_OS_SOLARIS,ou  
  0020:  3d 53 65 63 75 72 69 74  79 20 47 72 6f 75 70 73   =Security Groups
.................
ldap_write: want=1441, written=1441
  0000:  30 82 05 9d 02 01 02 64  82 05 96 04 4c 63 6e 3d   0......d....Lcn=  
  0010:  53 47 5f 4f 53 5f 53 4f  4c 41 52 49 53 2c 6f 75   SG_OS_SOLARIS,ou
  0020:  3d 53 65 63 75 72 69 74  79 20 47 72 6f 75 70 73   =Security Groups
.................
5ccac7d7 <= send_search_entry: conn 1000 exit.
ldap_msgfree

And wait while I interrupt request on client.
After it:
5ccac856 daemon: activity on 1 descriptor
5ccac856 daemon: activity on: 15r
5ccac856 daemon: read active on 15
5ccac856 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ccac856 daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ccac856 connection_get(15)
5ccac856 connection_get(15): got connid=1000
5ccac856 connection_read(15): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=0

5ccac856 ber_get_next on fd 15 failed errno=0 (Success)
5ccac856 connection_read(15): input error=-2 id=1000, closing.
5ccac856 connection_closing: readying conn=1000 sd=15 for close
5ccac856 connection_close: deferring conn=1000 sd=15
5ccac856 daemon: activity on 1 descriptor
5ccac856 daemon: activity on:
5ccac856 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5ccac856 daemon: epoll: listen=8 active_threads=0 tvp=NULL
5ccac856 connection_resched: attempting closing conn=1000 sd=15
5ccac856 connection_close: conn=1000 sd=15
5ccac856 =>meta_back_conn_destroy: fetching conn=1000
DN="cn=solaris,dc=company,dc=by"
5ccac856 =>meta_back_conn_destroy: destroying conn 1000 refcnt=0
flags=0x00000100
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 18
  0000:  30 05 02 01 04 42 00                               0....B.           
ldap_write: want=7, written=7
  0000:  30 05 02 01 04 42 00                               0....B.           
ldap_free_connection: actually freed
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 17
  0000:  30 05 02 01 04 42 00                               0....B.           
ldap_write: want=7, written=7
  0000:  30 05 02 01 04 42 00                               0....B.           
ldap_free_connection: actually freed
ldap_msgfree
5ccac856 =>meta_back_conn_destroy: fetching conn=1000
DN="cn=solaris,dc=company,dc=by"
5ccac856 daemon: removing 15
5ccac856 conn=1000 fd=15 closed (connection lost)

In client side it's look like:
ldapsearch -b ....
...
USERPRINCIPALNAME: test1@MAIN.COMPANY.BY
USERPRINCIPALNAME: test2@MAIN.COMPANY.BY
^C
Next by Date: (ITS#8314) ldap_back_is_proxy_authz returned 0 - misconfigured uri? - Maybe a Bug?
Index(es):
- Chronological
- Thread