Re: LDAP patch, and questions

[Jeff Warnica <jeffw@chebucto.ns.ca>]

On Sun, 2003-10-26 at 07:13, Matti Aarnio wrote:
> On Wed, Oct 22, 2003 at 09:04:05PM -0300, Jeff Warnica wrote:
> takes over, not LDAPv3 -- thus pre-existing LDAP configurations don't
> need magic "protocol 2" line in them.
> 

Fair enough.. The patch hasent appeared in cvs-web atleast though.

> >From  Lay Yiu Fai's  doc/guides/ldap.doc:
> 
>   In case of server or network error that the map failed to lookup,
>   the mail message will be deferred and hold with DEFER_IO_ERROR.
> 
> That deferrence status is sort of parallelly set flag, which must
> be tested to see, if such has happened during the failure in order
> to separate failure to access database from 'key not found'.
> (See  'man getpwnam'  for its failure processing.
>  What a bloody awfull API..)
> 
> However how should the thing do a retry ?  I don't know.
> Is there a need to do server close and reconnect ?
> 

OpenLDAP's LDAP(3) man page:

       The basic interaction is as follows.  A session handle is created
using
       ldap_init(3) or ldap_initialize(3).  (The ldap_initialize(3) routine is
       preferred, but is not part of the draft specification.)	The underlying
       session is established upon first use which is commonly	an  LDAP  bind
       operation.    The   LDAP   bind	 operation  is	performed  by  calling
       ldap_sasl_bind(3) or one of its friends. 

Out ldap.c dosent do a ldap_init[ialize] before it starts to
ldap_set_options(). OpenLDAP's ldap_initialize is compleatly
undocumented, but from what I gather from the docs of code that uses it,
and the mailing list, it can take a space separated list of servers
(uri's actually). I think, but am not sure, that on a very low level the
OpenLDAP libs will cycle through all servers/uri it has trying to open a
connection - each and every time it tries to send something accross the
wire - before it will return a failure.

Since it dosent appear to matter if ldap_init* is called at all, a ifdef
openldap (or whatever) around ldap_initialize(ldapurlconf, NULL) might
solve the problem of death by passing it on up the chain.

If all listed ldap server cant be contacted, then there would still be
the failure. What process handles retrying messages that have been
defered?

> Ah..  With  openldap  package in my system, I see lots of possible
> errors to be handled;  "man 3 ldap_error"
> 

If you happen to have the cyrus-sasl sources lying around, the
contributed auth_ldap plugin for saslauthd seems to handle all the
possible errors quite well. (Or rather the plugin calls on the author
Igor Brezac's 'lak.c' which handles things quite nicely.) It might be
resonable to start over on ZMs ldap functionality with Igors little
collection that is lak.[c|h]....

> Using my book library, and comparing some notes regarding UMICH
> and Netscape LDAP SDKs, especially things related to ldap rebindings
> (for referrals, I presume) are ... slightly different in them.
> To add more confusion,  OpenLDAP is a mixture of NS and UMICH APIs.

UMICH officaly no longer supports there LDAP stuff and directs people
towards OpenLDAP... I dont know how long this has been the case, or how
many sites are still using UMICH stuff (and cant change). It might not
be unresonable to just make a new ldap db; ldapv3, based on Igors lak
stuff, and if that dosent handle UMICH's now-obsolete libs then so be
it.

-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi