Re: SSL LDAP connection caching problem (was Re: [exim] LDAP…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: John Dalbec
Data:  
Para: exim-users
Temas antigos: Re: SSL LDAP connection caching problem (was Re: [exim] LDAP connection caching problem?)
Asunto: Re: SSL LDAP connection caching problem (was Re: [exim] LDAPconnection caching problem?)
Nico Erfurth wrote:

> John Dalbec wrote:
>
>>I wrote a Perl script to test this. It opens an LDAP connection and
>>binds to the directory. It forks a child that runs a search then sleeps
>>for a while. The parent sleeps to allow the child search to complete,
>>then forks a second child that runs the same search and then sleeps for
>>a while. If I set up the LDAP connection unencrypted, the script runs
>>fine. If I set up the LDAP connection encrypted, the second search gets
>>an I/O error.
>>
>>I think a reasonable workaround is if Exim caches the PID along with the
>>other connection information for encrypted connections and then uses the
>>encrypted connection only with that PID. Does anyone have a better idea?
>
>
> IIRC exim calls the tidyup-function of all lookuptypes before spawning a
> new process, so this shouldn't happen as long as ldap_tidyup is
> implemented correctly.


I don't think that's happening in rda.c:

/* We need to run the processing code in a sub-process. However, if we can
determine the non-existence of a file first, we can decline without having to
create the sub-process. */

if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
return FF_NONEXIST;

/* If the file does exist, or we can't tell (non-root mounted NFS directory)
we have to create the subprocess to do everything as the given user. The
results of processing are passed back via a pipe. */

if (pipe(pfd) != 0)
   log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
     ":include: failed for %s: %s", rname, strerror(errno));


/* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
process can be waited for. We sometimes get here with it set otherwise. Save
the old state for resetting on the wait. */

oldsignal = signal(SIGCHLD, SIG_DFL);
if ((pid = fork()) == 0)
{
header_line *waslast = header_last; /* Save last header */

fd = pfd[pipe_write];
(void)close(pfd[pipe_read]);
exim_setugid(ugid->uid, ugid->gid, FALSE, rname);

/* Addresses can get rewritten in filters; if we are not root or the exim
user (and we probably are not), turn off rewrite logging, because we cannot
write to the log now. */

   if (ugid->uid != root_uid && ugid->uid != exim_uid)
     {
     DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
       "root or exim in this process)\n");
     log_write_selector &= ~L_address_rewrite;
     }


/* Now do the business */

   yield = rda_extract(rdata, options, include_directory,
     sieve_vacation_directory, sieve_useraddress, sieve_subaddress, generated,
     error, eblockp, filtertype);


I see nothing about tidying up in this code. What should I add?
Thanks,
John
>
> Nico
>