On Mon, Nov 13, 2006 at 10:11:52AM +0100, Steffen Kaiser wrote:
- unbind() when I do not intend to use the LDAP connection in the script anymore, e.g. after authentification is done and the data has been read (LDAP retrieval done),
- re- bind() when I start a new LDAP retrieval (most often, an anonymous bind in order to find the user logging in),
- when bind() or the first the search fails with "pending blah blah" or "unwilling to perform", I drop the LDAP connection and reconnect, then bind() and, eventually, search again.
In my tpop3d auth module, I do this, eg on LDAP error returned and this is not handled one (ie: bad credentials should means wrong password, so not in this case, but other errors) then reissue the whole stuff, with some kind of loop counter and timeout value. However during my very heavy test load, there was no even a single LDAP error. Sure, I close and reopen (and bind) LDAP connection each time so maybe this does the trick even if it's far from ideal in performance (as I've written even with this 300 pop3 sessions / second is done, even with very heavy debug logging set in OpenLDAP, tpop3d and my auth stuff through syslog).
None of this is necessary by the API as I understand it, but now the scripts almost never fail for LDAP errors.
Hmm, maybe this should be asked on OpenLDAP list .... ? I was afraid to be off topic there, but since it seems to be a general problem with OpenLDAP I should try that, I think now.
--
- Gábor