implement (per-target) per-conn proxy-side idle-timeout (ITS#4115); revitalize (per-target) network-timeout in back-meta; fix issue with connection initialization error in ldap_back_retry(); cleanup configuration of back-ldap

servers/slapd/back-ldap/back-ldap.h

@@ -79,6 +79,7 @@ typedef struct ldapconn_t {
 
 	unsigned		lc_refcnt;
 	unsigned		lc_flags;
+	time_t			lc_time;
 } ldapconn_t;
 
 /*
@@ -183,6 +184,8 @@ typedef struct ldapinfo_t {
 
 	ldap_avl_info_t	li_conninfo;
 
+	time_t		li_network_timeout;
+	time_t		li_idle_timeout;
 	time_t		li_timeout[ LDAP_BACK_OP_LAST ];
 } ldapinfo_t;
 

servers/slapd/back-ldap/bind.c

@@ -581,9 +581,22 @@ ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok )
 		}
 
 	} else {
-		Debug( LDAP_DEBUG_TRACE,
-			"=>ldap_back_getconn: conn %p fetched (refcnt=%u)\n",
-			(void *)lc, refcnt, 0 );
+		if ( li->li_idle_timeout != 0 && op->o_time > lc->lc_time + li->li_idle_timeout ) {
+			/* in case of failure, it frees/taints lc and sets it to NULL */
+			if ( ldap_back_retry( &lc, op, rs, sendok ) ) {
+				lc = NULL;
+			}
+		}
+
+		if ( lc ) {
+			Debug( LDAP_DEBUG_TRACE,
+				"=>ldap_back_getconn: conn %p fetched (refcnt=%u)\n",
+				(void *)lc, refcnt, 0 );
+		}
+	}
+
+	if ( li->li_idle_timeout && lc ) {
+		lc->lc_time = op->o_time;
 	}
 
 done:;
@@ -925,6 +938,9 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_
 	int		rc = 0;
 	ldapinfo_t	*li = (ldapinfo_t *)op->o_bd->be_private;
 
+	assert( lcp != NULL );
+	assert( *lcp != NULL );
+
 	ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex );
 
 	if ( (*lcp)->lc_refcnt == 1 ) {
@@ -940,7 +956,11 @@ ldap_back_retry( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_
 
 		/* lc here must be the regular lc, reset and ready for init */
 		rc = ldap_back_prepare_conn( lcp, op, rs, sendok );
-		if ( rc == LDAP_SUCCESS ) {
+		if ( rc != LDAP_SUCCESS ) {
+			rc = 0;
+			*lcp = NULL;
+
+		} else {
 			rc = ldap_back_dobind_int( *lcp, op, rs, sendok, 0, 0 );
 			if ( rc == 0 ) {
 				*lcp = NULL;

servers/slapd/back-ldap/config.c

@@ -60,6 +60,7 @@ enum {
 	LDAP_BACK_CFG_T_F,
 	LDAP_BACK_CFG_WHOAMI,
 	LDAP_BACK_CFG_TIMEOUT,
+	LDAP_BACK_CFG_IDLE_TIMEOUT,
 	LDAP_BACK_CFG_REWRITE,
 
 	LDAP_BACK_CFG_LAST
@@ -214,6 +215,14 @@ static ConfigTable ldapcfg[] = {
 			"SYNTAX OMsDirectoryString "
 			"SINGLE-VALUE )",
 		NULL, NULL },
+	{ "idle-timeout", "timeout", 2, 0, 0,
+		ARG_MAGIC|LDAP_BACK_CFG_IDLE_TIMEOUT,
+		ldap_back_cf_gen, "( OLcfgDbAt:3.15 "
+			"NAME 'olcDbIdleTimeout' "
+			"DESC 'connection idle timeout' "
+			"SYNTAX OMsDirectoryString "
+			"SINGLE-VALUE )",
+		NULL, NULL },
 	{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
 		ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
 		ldap_back_cf_gen, NULL, NULL, NULL },
@@ -247,6 +256,7 @@ static ConfigOCs ldapocs[] = {
 			"$ olcDbTFSupport "
 			"$ olcDbProxyWhoAmI "
 			"$ olcDbTimeout "
+			"$ olcDbIdleTimeout "
 		") )",
 		 	Cft_Database, ldapcfg},
 	{ NULL, 0, NULL }
@@ -310,14 +320,8 @@ ldap_back_cf_gen( ConfigArgs *c )
 
 		case LDAP_BACK_CFG_TLS:
 			enum_to_verb( tls_mode, ( li->li_flags & LDAP_BACK_F_TLS_MASK ), &bv );
-			if ( BER_BVISNULL( &bv ) ) {
-				/* there's something wrong... */
-				assert( 0 );
-				rc = 1;
-
-			} else {
-				value_add_one( &c->rvalue_vals, &bv );
-			}
+			assert( !BER_BVISNULL( &bv ) );
+			value_add_one( &c->rvalue_vals, &bv );
 			break;
 
 		case LDAP_BACK_CFG_ACL_AUTHCDN:
@@ -330,6 +334,10 @@ ldap_back_cf_gen( ConfigArgs *c )
 		case LDAP_BACK_CFG_ACL_BIND: {
 			int	i;
 
+			if ( li->li_acl_authmethod == LDAP_AUTH_NONE ) {
+				return 1;
+			}
+
 			bindconf_unparse( &li->li_acl, &bv );
 
 			for ( i = 0; isspace( bv.bv_val[ i ] ); i++ )
@@ -373,6 +381,10 @@ ldap_back_cf_gen( ConfigArgs *c )
 			struct berval	bc = BER_BVNULL;
 			char		*ptr;
 
+			if ( li->li_idassert_authmethod == LDAP_AUTH_NONE ) {
+				return 1;
+			}
+
 			if ( li->li_idassert_authmethod != LDAP_AUTH_NONE ) {
 				ber_len_t	len;
 
@@ -506,22 +518,46 @@ ldap_back_cf_gen( ConfigArgs *c )
 		case LDAP_BACK_CFG_TIMEOUT:
 			BER_BVZERO( &bv );
 
+			for ( i = 0; i < LDAP_BACK_OP_LAST; i++ ) {
+				if ( li->li_timeout[ i ] != 0 ) {
+					break;
+				}
+			}
+
+			if ( i == LDAP_BACK_OP_LAST ) {
+				return 1;
+			}
+
 			slap_cf_aux_table_unparse( li->li_timeout, &bv, timeout_table );
 
-			if ( !BER_BVISNULL( &bv ) ) {	
-				for ( i = 0; isspace( bv.bv_val[ i ] ); i++ )
-					/* count spaces */ ;
-
-				if ( i ) {
-					bv.bv_len -= i;
-					AC_MEMCPY( bv.bv_val, &bv.bv_val[ i ],
-						bv.bv_len + 1 );
-				}
-
-				ber_bvarray_add( &c->rvalue_vals, &bv );
+			if ( BER_BVISNULL( &bv ) ) {
+				return 1;
 			}
+
+			for ( i = 0; isspace( bv.bv_val[ i ] ); i++ )
+				/* count spaces */ ;
+
+			if ( i ) {
+				bv.bv_len -= i;
+				AC_MEMCPY( bv.bv_val, &bv.bv_val[ i ],
+					bv.bv_len + 1 );
+			}
+
+			ber_bvarray_add( &c->rvalue_vals, &bv );
 			break;
 
+		case LDAP_BACK_CFG_IDLE_TIMEOUT: {
+			char	buf[ SLAP_TEXT_BUFLEN ];
+
+			if ( li->li_idle_timeout == 0 ) {
+				return 1;
+			}
+
+			lutil_unparse_time( buf, sizeof( buf ), li->li_idle_timeout );
+			ber_str2bv( buf, 0, 0, &bv );
+			value_add_one( &c->rvalue_vals, &bv );
+			} break;
+
 		default:
 			/* FIXME: we need to handle all... */
 			assert( 0 );
@@ -599,6 +635,10 @@ ldap_back_cf_gen( ConfigArgs *c )
 			}
 			break;
 
+		case LDAP_BACK_CFG_IDLE_TIMEOUT:
+			li->li_idle_timeout = 0;
+			break;
+
 		default:
 			/* FIXME: we need to handle all... */
 			assert( 0 );
@@ -614,14 +654,6 @@ ldap_back_cf_gen( ConfigArgs *c )
 		char		**urllist = NULL;
 		int		urlrc = LDAP_URL_SUCCESS, i;
 
-		if ( c->argc != 2 ) {
-			fprintf( stderr, "%s: line %d: "
-					"missing uri "
-					"in \"uri <uri>\" line\n",
-					c->fname, c->lineno );
-			return 1;
-		}
-
 		if ( li->li_uri != NULL ) {
 			ch_free( li->li_uri );
 			li->li_uri = NULL;
@@ -671,10 +703,11 @@ ldap_back_cf_gen( ConfigArgs *c )
 				why = "unknown reason";
 				break;
 			}
-			fprintf( stderr, "%s: line %d: "
+			snprintf( c->msg, sizeof( c->msg),
 					"unable to parse uri \"%s\" "
-					"in \"uri <uri>\" line: %s\n",
-					c->fname, c->lineno, c->value_string, why );
+					"in \"uri <uri>\" line: %s",
+					c->value_string, why );
+			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 			urlrc = 1;
 			goto done_url;
 		}
@@ -690,12 +723,13 @@ ldap_back_cf_gen( ConfigArgs *c )
 					|| tmpludp->lud_filter != NULL
 					|| tmpludp->lud_exts != NULL )
 			{
-				fprintf( stderr, "%s: line %d: "
+				snprintf( c->msg, sizeof( c->msg ),
 						"warning, only protocol, "
 						"host and port allowed "
 						"in \"uri <uri>\" statement "
-						"for uri #%d of \"%s\"\n",
-						c->fname, c->lineno, i, c->value_string );
+						"for uri #%d of \"%s\"",
+						i, c->value_string );
+				Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 			}
 		}
 
@@ -724,11 +758,12 @@ ldap_back_cf_gen( ConfigArgs *c )
 			urllist[ i ]  = ldap_url_desc2str( &tmplud );
 
 			if ( urllist[ i ] == NULL ) {
-				fprintf( stderr, "%s: line %d: "
+				snprintf( c->msg, sizeof( c->msg),
 					"unable to rebuild uri "
 					"in \"uri <uri>\" statement "
-					"for \"%s\"\n",
-					c->fname, c->lineno, c->argv[ 1 ] );
+					"for \"%s\"",
+					c->argv[ 1 ] );
+				Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 				urlrc = 1;
 				goto done_url;
 			}
@@ -777,10 +812,11 @@ done_url:;
 			break;
 
 		default:
-			fprintf( stderr, "%s: line %d: "
+			snprintf( c->msg, sizeof( c->msg),
 				"\"acl-authcDN <DN>\" incompatible "
-				"with auth method %d.",
-				c->fname, c->lineno, li->li_acl_authmethod );
+				"with auth method %d",
+				li->li_acl_authmethod );
+			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 			return 1;
 		}
 		if ( !BER_BVISNULL( &li->li_acl_authcDN ) ) {
@@ -802,10 +838,11 @@ done_url:;
 			break;
 
 		default:
-			fprintf( stderr, "%s: line %d: "
+			snprintf( c->msg, sizeof( c->msg ),
 				"\"acl-passwd <cred>\" incompatible "
-				"with auth method %d.",
-				c->fname, c->lineno, li->li_acl_authmethod );
+				"with auth method %d",
+				li->li_acl_authmethod );
+			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 			return 1;
 		}
 		if ( !BER_BVISNULL( &li->li_acl_passwd ) ) {
@@ -897,10 +934,11 @@ done_url:;
 			break;
 
 		default:
-			fprintf( stderr, "%s: line %d: "
+			snprintf( c->msg, sizeof( c->msg ),
 				"\"idassert-authcDN <DN>\" incompatible "
-				"with auth method %d.",
-				c->fname, c->lineno, li->li_idassert_authmethod );
+				"with auth method %d",
+				li->li_idassert_authmethod );
+			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 			return 1;
 		}
 		if ( !BER_BVISNULL( &li->li_idassert_authcDN ) ) {
@@ -922,10 +960,11 @@ done_url:;
 			break;
 
 		default:
-			fprintf( stderr, "%s: line %d: "
+			snprintf( c->msg, sizeof( c->msg ),
 				"\"idassert-passwd <cred>\" incompatible "
-				"with auth method %d.",
-				c->fname, c->lineno, li->li_idassert_authmethod );
+				"with auth method %d",
+				li->li_idassert_authmethod );
+			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 			return 1;
 		}
 		if ( !BER_BVISNULL( &li->li_idassert_passwd ) ) {
@@ -943,10 +982,10 @@ done_url:;
 		ber_str2bv( c->argv[ 1 ], 0, 0, &in );
 		rc = authzNormalize( 0, NULL, NULL, &in, &bv, NULL );
 		if ( rc != LDAP_SUCCESS ) {
-			fprintf( stderr, "%s: %d: "
+			snprintf( c->msg, sizeof( c->msg ),
 				"\"idassert-authzFrom <authz>\": "
-				"invalid syntax.\n",
-				c->fname, c->lineno );
+				"invalid syntax" );
+			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 			return 1;
 		}
 #else /* !SLAP_AUTHZ_SYNTAX */
@@ -957,10 +996,10 @@ done_url:;
 
 	case LDAP_BACK_CFG_IDASSERT_METHOD:
 		/* no longer supported */
-		fprintf( stderr, "%s: %d: "
+		snprintf( c->msg, sizeof( c->msg ),
 			"\"idassert-method <args>\": "
-			"no longer supported; use \"idassert-bind\".\n",
-			c->fname, c->lineno );
+			"no longer supported; use \"idassert-bind\"" );
+		Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 		return 1;
 
 	case LDAP_BACK_CFG_IDASSERT_BIND:
@@ -971,10 +1010,11 @@ done_url:;
 
 				j = verb_to_mask( argvi, idassert_mode );
 				if ( BER_BVISNULL( &idassert_mode[ j ].word ) ) {
-					fprintf( stderr, "%s: %d: "
+					snprintf( c->msg, sizeof( c->msg ),
 						"\"idassert-bind <args>\": "
-						"unknown mode \"%s\".\n",
-						c->fname, c->lineno, argvi );
+						"unknown mode \"%s\"",
+						argvi );
+					Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 					return 1;
 				}
 
@@ -985,11 +1025,11 @@ done_url:;
 
 				if ( strcasecmp( argvi, "native" ) == 0 ) {
 					if ( li->li_idassert_authmethod != LDAP_AUTH_SASL ) {
-						fprintf( stderr, "%s: %d: "
+						snprintf( c->msg, sizeof( c->msg ),
 							"\"idassert-bind <args>\": "
 							"authz=\"native\" incompatible "
-							"with auth method.\n",
-							c->fname, c->lineno );
+							"with auth method" );
+						Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 						return 1;
 					}
 					li->li_idassert_flags |= LDAP_BACK_AUTH_NATIVE_AUTHZ;
@@ -998,10 +1038,11 @@ done_url:;
 					li->li_idassert_flags &= ~LDAP_BACK_AUTH_NATIVE_AUTHZ;
 
 				} else {
-					fprintf( stderr, "%s: %d: "
+					snprintf( c->msg, sizeof( c->msg ),
 						"\"idassert-bind <args>\": "
-						"unknown authz \"%s\".\n",
-						c->fname, c->lineno, argvi );
+						"unknown authz \"%s\"",
+						argvi );
+					Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 					return 1;
 				}
 
@@ -1011,10 +1052,11 @@ done_url:;
 				int	j;
 
 				if ( flags == NULL ) {
-					fprintf( stderr, "%s: %d: "
+					snprintf( c->msg, sizeof( c->msg ),
 						"\"idassert-bind <args>\": "
-						"unable to parse flags \"%s\".\n",
-						c->fname, c->lineno, argvi );
+						"unable to parse flags \"%s\"",
+						argvi );
+					Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 					return 1;
 				}
 
@@ -1029,10 +1071,11 @@ done_url:;
 						li->li_idassert_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE );
 
 					} else {
-						fprintf( stderr, "%s: %d: "
+						snprintf( c->msg, sizeof( c->msg ),
 							"\"idassert-bind <args>\": "
-							"unknown flag \"%s\".\n",
+							"unknown flag \"%s\"",
 							c->fname, c->lineno, flags[ j ] );
+						Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 						return 1;
 					}
 				}
@@ -1084,10 +1127,6 @@ done_url:;
 		break;
 
 	case LDAP_BACK_CFG_TIMEOUT:
-		if ( c->argc < 2 ) {
-			return 1;
-		}
-
 		for ( i = 1; i < c->argc; i++ ) {
 			if ( isdigit( c->argv[ i ][ 0 ] ) ) {
 				int		j;
@@ -1110,13 +1149,26 @@ done_url:;
 		}
 		break;
 
+	case LDAP_BACK_CFG_IDLE_TIMEOUT: {
+		unsigned long	t;
+
+		if ( lutil_parse_time( c->argv[ 1 ], &t ) != 0 ) {
+			snprintf( c->msg, sizeof( c->msg),
+				"unable to parse idle timeout \"%s\"",
+				c->argv[ 1 ] );
+			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
+			return 1;
+		}
+		li->li_idle_timeout = (time_t)t;
+		} break;
+
 	case LDAP_BACK_CFG_REWRITE:
-		fprintf( stderr, "%s: line %d: "
+		snprintf( c->msg, sizeof( c->msg ),
 			"rewrite/remap capabilities have been moved "
 			"to the \"rwm\" overlay; see slapo-rwm(5) "
 			"for details (hint: add \"overlay rwm\" "
-			"and prefix all directives with \"rwm-\").\n",
-			c->fname, c->lineno );
+			"and prefix all directives with \"rwm-\")" );
+		Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 		return 1;
 		
 	default:

servers/slapd/back-meta/back-meta.h

@@ -177,6 +177,8 @@ typedef struct metasingleconn_t {
 #define META_ANONYMOUS		2
 #endif
 
+	time_t			msc_time;
+
 	struct metainfo_t	*msc_info;
 } metasingleconn_t;
 
@@ -228,6 +230,8 @@ typedef struct metatarget_t {
 
 	unsigned		mt_flags;
 	int			mt_version;
+	time_t			mt_network_timeout;
+	time_t			mt_idle_timeout;
 	time_t			mt_timeout[ LDAP_BACK_OP_LAST ];
 } metatarget_t;
 
@@ -248,7 +252,6 @@ typedef struct metacandidates_t {
 typedef struct metainfo_t {
 	int			mi_ntargets;
 	int			mi_defaulttarget;
-	int			mi_network_timeout;
 #define META_DEFAULT_TARGET_NONE	(-1)
 	int			mi_nretries;
 
@@ -271,6 +274,8 @@ typedef struct metainfo_t {
 #define META_BACK_DEFER_ROOTDN_BIND(mi)	( (mi)->mi_flags & META_BACK_F_DEFER_ROOTDN_BIND )
 
 	int			mi_version;
+	time_t			mi_network_timeout;
+	time_t			mi_idle_timeout;
 	time_t			mi_timeout[ LDAP_BACK_OP_LAST ];
 } metainfo_t;
 
@@ -313,9 +318,8 @@ meta_back_init_one_conn(
 	SlapReply		*rs,
 	metatarget_t		*mt, 
 	metaconn_t		*mc,
-	metasingleconn_t	*msc,
+	int			candidate,
 	int			ispriv,
-	int			isauthz,
 	ldap_back_send_t	sendok );
 
 extern int

servers/slapd/back-meta/bind.c

@@ -147,7 +147,7 @@ meta_back_bind( Operation *op, SlapReply *rs )
 			 */
 			Debug( LDAP_DEBUG_ANY,
 				"### %s meta_back_bind: more than one"
-				" candidate is trying to bind...\n",
+				" candidate selected...\n",
 				op->o_log_prefix, 0, 0 );
 		}
 
@@ -334,6 +334,7 @@ rebind:;
 		struct timeval	tv;
 		int		rc;
 		int		nretries = mt->mt_nretries;
+		char		buf[ SLAP_TEXT_BUFLEN ];
 
 		LDAP_BACK_TV_SET( &tv );
 
@@ -345,11 +346,12 @@ retry:;
 		tv.tv_usec = META_BIND_TIMEOUT;
 		switch ( ldap_result( msc->msc_ld, msgid, 0, &tv, &res ) ) {
 		case 0:
-			Debug( LDAP_DEBUG_ANY,
-				"%s meta_back_single_bind: "
+			snprintf( buf, sizeof( buf ),
 				"ldap_result=0 nretries=%d%s\n",
-				op->o_log_prefix, nretries,
-				rebinding ? " rebinding" : "" );
+				nretries, rebinding ? " rebinding" : "" );
+			Debug( LDAP_DEBUG_ANY,
+				"%s meta_back_single_bind[%d]: %s.\n",
+				op->o_log_prefix, candidate, buf );
 
 			if ( nretries != META_RETRY_NEVER ) {
 				ldap_pvt_thread_yield();
@@ -381,10 +383,12 @@ retry:;
 				ldap_abandon_ext( msc->msc_ld, msgid, NULL, NULL );
 			}
 
+			snprintf( buf, sizeof( buf ),
+				"err=%d nretries=%d",
+				rs->sr_err, nretries );
 			Debug( LDAP_DEBUG_ANY,
-				"### %s meta_back_single_bind: "
-				"err=%d nretries=%d\n",
-				op->o_log_prefix, rs->sr_err, nretries );
+				"### %s meta_back_single_bind[%d]: %s.\n",
+				op->o_log_prefix, candidate, buf );
 
 			rc = slap_map_api2result( rs );
 			if ( rs->sr_err == LDAP_UNAVAILABLE && nretries != META_RETRY_NEVER ) {
@@ -487,6 +491,7 @@ rebind:;
 	if ( rc == LDAP_SUCCESS ) {
 		LDAPMessage	*res;
 		struct timeval	tv;
+		char		buf[ SLAP_TEXT_BUFLEN ];
 
 		LDAP_BACK_TV_SET( &tv );
 
@@ -498,11 +503,12 @@ retry:;
 		tv.tv_usec = META_BIND_TIMEOUT;
 		switch ( ldap_result( msc->msc_ld, msgid, 0, &tv, &res ) ) {
 		case 0:
+			snprintf( buf, sizeof( buf ),
+				"ldap_result=0 nretries=%d%s",
+				nretries, rebinding ? " rebinding" : "" );
 			Debug( LDAP_DEBUG_ANY,
-				"%s meta_back_single_dobind: "
-				"ldap_result=0 nretries=%d%s\n",
-				op->o_log_prefix, nretries,
-				rebinding ? " rebinding" : "" );
+				"%s meta_back_single_dobind[%d]: %s.\n",
+				op->o_log_prefix, candidate, buf );
 
 			if ( nretries != META_RETRY_NEVER ) {
 				ldap_pvt_thread_yield();
@@ -535,10 +541,12 @@ retry:;
 				ldap_abandon_ext( msc->msc_ld, msgid, NULL, NULL );
 			}
 
+			snprintf( buf, sizeof( buf ),
+				"err=%d nretries=%d",
+				rs->sr_err, nretries );
 			Debug( LDAP_DEBUG_ANY,
-				"### %s meta_back_single_dobind: "
-				"err=%d nretries=%d\n",
-				op->o_log_prefix, rs->sr_err, nretries );
+				"### %s meta_back_single_dobind[%d]: %s.\n",
+				op->o_log_prefix, candidate, buf );
 
 			rc = slap_map_api2result( rs );
 			if ( rc == LDAP_UNAVAILABLE && nretries != META_RETRY_NEVER ) {
@@ -558,9 +566,8 @@ retry:;
 				        /* mc here must be the regular mc,
 					 * reset and ready for init */
 				        rc = meta_back_init_one_conn( op, rs,
-						mt, mc, msc,
+						mt, mc, candidate,
 						LDAP_BACK_CONN_ISPRIV( mc ),
-						candidate == mc->mc_authz_target,
 						LDAP_BACK_DONTSEND );
 
 				} else {

servers/slapd/back-meta/config.c

@@ -35,7 +35,7 @@
 #include "back-meta.h"
 
 static int
-new_target( 
+meta_back_new_target( 
 	metatarget_t	*mt )
 {
         struct ldapmapping	*mapping;
@@ -146,7 +146,7 @@ meta_back_db_config(
 			return 1;
 		}
 
-		if ( new_target( &mi->mi_targets[ i ] ) != 0 ) {
+		if ( meta_back_new_target( &mi->mi_targets[ i ] ) != 0 ) {
 			Debug( LDAP_DEBUG_ANY,
 	"%s: line %d: unable to init server"
 	" in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
@@ -157,6 +157,8 @@ meta_back_db_config(
 		mi->mi_targets[ i ].mt_nretries = mi->mi_nretries;
 		mi->mi_targets[ i ].mt_flags = mi->mi_flags;
 		mi->mi_targets[ i ].mt_version = mi->mi_version;
+		mi->mi_targets[ i ].mt_idle_timeout = mi->mi_idle_timeout;
+		mi->mi_targets[ i ].mt_network_timeout = mi->mi_network_timeout;
 
 		for ( c = 0; c < LDAP_BACK_OP_LAST; c++ ) {
 			mi->mi_targets[ i ].mt_timeout[ c ] = mi->mi_timeout[ c ];
@@ -344,7 +346,11 @@ meta_back_db_config(
 
 	/* network timeout when connecting to ldap servers */
 	} else if ( strcasecmp( argv[ 0 ], "network-timeout" ) == 0 ) {
+		int 		i = mi->mi_ntargets - 1;
 		unsigned long	t;
+		time_t		*tp = mi->mi_ntargets ?
+				&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_network_timeout
+				: &mi->mi_network_timeout;
 
 		if ( argc != 2 ) {
 			Debug( LDAP_DEBUG_ANY,
@@ -361,7 +367,40 @@ meta_back_db_config(
 
 		}
 
-		mi->mi_network_timeout = (int)t;
+		*tp = (time_t)t;
+
+	/* idle timeout when connecting to ldap servers */
+	} else if ( strcasecmp( argv[ 0 ], "idle-timeout" ) == 0 ) {
+		int 		i = mi->mi_ntargets - 1;
+		unsigned long	t;
+		time_t		*tp = mi->mi_ntargets ?
+				&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_idle_timeout
+				: &mi->mi_idle_timeout;
+
+		switch ( argc ) {
+		case 1:
+			Debug( LDAP_DEBUG_ANY,
+	"%s: line %d: missing timeout value in \"idle-timeout <seconds>\" line\n",
+				fname, lineno, 0 );
+			return 1;
+		case 2:
+			break;
+		default:
+			Debug( LDAP_DEBUG_ANY,
+	"%s: line %d: extra cruft after timeout value in \"idle-timeout <seconds>\" line\n",
+				fname, lineno, 0 );
+			return 1;
+		}
+
+		if ( lutil_parse_time( argv[ 1 ], &t ) ) {
+			Debug( LDAP_DEBUG_ANY,
+	"%s: line %d: unable to parse timeout \"%s\" in \"idle-timeout <seconds>\" line\n",
+				fname, lineno, argv[ 1 ] );
+			return 1;
+
+		}
+
+		*tp = (time_t)t;
 
 	/* name to use for meta_back_group */
 	} else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0

servers/slapd/back-meta/conn.c

@@ -206,20 +206,34 @@ meta_back_init_one_conn(
 	SlapReply		*rs,
 	metatarget_t		*mt, 
 	metaconn_t		*mc,
-	metasingleconn_t	*msc,
+	int			candidate,
 	int			ispriv,
-	int			isauthz,
 	ldap_back_send_t	sendok )
 {
-	metainfo_t	*mi = ( metainfo_t * )op->o_bd->be_private;
-	int		vers;
-	dncookie	dc;
+	metainfo_t		*mi = ( metainfo_t * )op->o_bd->be_private;
+	metasingleconn_t	*msc = &mc->mc_conns[ candidate ];
+	int			vers;
+	dncookie		dc;
+	int			isauthz = ( candidate == mc->mc_authz_target );
 
 	/*
 	 * Already init'ed
 	 */
 	if ( msc->msc_ld != NULL ) {
-		return rs->sr_err = LDAP_SUCCESS;
+		if ( mt->mt_idle_timeout == 0 ) {
+			return rs->sr_err = LDAP_SUCCESS;
+		}
+
+		if ( op->o_time > msc->msc_time + mt->mt_idle_timeout ) {
+			Debug( LDAP_DEBUG_TRACE,
+				"%s meta_back_init_one_conn[%d]: idle timeout.\n",
+				op->o_log_prefix, candidate, 0 );
+			if ( meta_back_retry( op, rs, mc, candidate, sendok ) ) {
+				return rs->sr_err;
+			}
+		}
+
+		msc->msc_time = op->o_time;
 	}
        
 	/*
@@ -344,11 +358,11 @@ retry:;
 	/*
 	 * Set the network timeout if set
 	 */
-	if ( mi->mi_network_timeout != 0 ) {
+	if ( mt->mt_network_timeout != 0 ) {
 		struct timeval	network_timeout;
 
 		network_timeout.tv_usec = 0;
-		network_timeout.tv_sec = mi->mi_network_timeout;
+		network_timeout.tv_sec = mt->mt_network_timeout;
 
 		ldap_set_option( msc->msc_ld, LDAP_OPT_NETWORK_TIMEOUT,
 				(void *)&network_timeout );
@@ -414,6 +428,10 @@ error_return:;
 		 */
 		( void )rewrite_session_init( mt->mt_rwmap.rwm_rw, op->o_conn );
 
+		if ( mt->mt_idle_timeout ) {
+			msc->msc_time = op->o_time;
+		}
+
 	} else {
 		rs->sr_err = slap_map_api2result( rs );
 		if ( sendok & LDAP_BACK_SENDERR ) {
@@ -449,17 +467,22 @@ retry_lock:;
 	assert( mc->mc_refcnt > 0 );
 
 	if ( mc->mc_refcnt == 1 ) {
+		char	buf[ SLAP_TEXT_BUFLEN ];
+
 		while ( ldap_pvt_thread_mutex_trylock( &mc->mc_mutex ) ) {
 			ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
 			ldap_pvt_thread_yield();
 			goto retry_lock;
 		}
 
-		Debug( LDAP_DEBUG_ANY,
-			"%s meta_back_retry: retrying URI=\"%s\" DN=\"%s\"\n",
-			op->o_log_prefix, mt->mt_uri,
+		snprintf( buf, sizeof( buf ),
+			"retrying URI=\"%s\" DN=\"%s\"",
+			mt->mt_uri,
 			BER_BVISNULL( &msc->msc_bound_ndn ) ?
 				"" : msc->msc_bound_ndn.bv_val );
+		Debug( LDAP_DEBUG_ANY,
+			"%s meta_back_retry[%d]: %s.\n",
+			op->o_log_prefix, candidate, buf );
 
 		meta_clear_one_candidate( msc );
 		LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
@@ -467,9 +490,8 @@ retry_lock:;
 		( void )rewrite_session_delete( mt->mt_rwmap.rwm_rw, op->o_conn );
 
 		/* mc here must be the regular mc, reset and ready for init */
-		rc = meta_back_init_one_conn( op, rs, mt, mc, msc,
-			LDAP_BACK_CONN_ISPRIV( mc ),
-			candidate == mc->mc_authz_target, sendok );
+		rc = meta_back_init_one_conn( op, rs, mt, mc, candidate,
+			LDAP_BACK_CONN_ISPRIV( mc ), sendok );
 
 		if ( rc == LDAP_SUCCESS ) {
         		rc = meta_back_single_dobind( op, rs, mc, candidate,
@@ -804,16 +826,14 @@ meta_back_getconn(
 
 		for ( i = 0; i < mi->mi_ntargets; i++ ) {
 			metatarget_t		*mt = &mi->mi_targets[ i ];
-			metasingleconn_t	*msc = &mc->mc_conns[ i ];
 
 			/*
 			 * The target is activated; if needed, it is
 			 * also init'd
 			 */
 			candidates[ i ].sr_err = meta_back_init_one_conn( op,
-				rs, mt, mc, msc,
-				LDAP_BACK_CONN_ISPRIV( &mc_curr ),
-				i == mc->mc_authz_target, sendok );
+				rs, mt, mc, i,
+				LDAP_BACK_CONN_ISPRIV( &mc_curr ), sendok );
 			if ( candidates[ i ].sr_err == LDAP_SUCCESS ) {
 				candidates[ i ].sr_tag = META_CANDIDATE;
 				ncandidates++;
@@ -920,7 +940,7 @@ meta_back_getconn(
 		}
 
 		Debug( LDAP_DEBUG_TRACE,
-	"==>meta_back_getconn: got target %d for ndn=\"%s\" from cache\n",
+	"==>meta_back_getconn: got target=%d for ndn=\"%s\" from cache\n",
 				i, op->o_req_ndn.bv_val, 0 );
 
 		if ( mc == NULL ) {
@@ -957,9 +977,8 @@ meta_back_getconn(
 		 * also init'd. In case of error, meta_back_init_one_conn
 		 * sends the appropriate result.
 		 */
-		err = meta_back_init_one_conn( op, rs, mt, mc, msc,
-			LDAP_BACK_CONN_ISPRIV( &mc_curr ),
-			i == mc->mc_authz_target, sendok );
+		err = meta_back_init_one_conn( op, rs, mt, mc, i,
+			LDAP_BACK_CONN_ISPRIV( &mc_curr ), sendok );
 		if ( err != LDAP_SUCCESS ) {
 			/*
 			 * FIXME: in case one target cannot
@@ -1014,16 +1033,15 @@ meta_back_getconn(
 				 * also init'd
 				 */
 				int lerr = meta_back_init_one_conn( op, rs,
-						mt, mc, msc,
+						mt, mc, i,
 						LDAP_BACK_CONN_ISPRIV( &mc_curr ),
-						i == mc->mc_authz_target,
 						sendok );
 				if ( lerr == LDAP_SUCCESS ) {
 					candidates[ i ].sr_tag = META_CANDIDATE;
 					candidates[ i ].sr_err = LDAP_SUCCESS;
 					ncandidates++;
 
-					Debug( LDAP_DEBUG_TRACE, "%s: meta_back_init_one_conn(%d)\n",
+					Debug( LDAP_DEBUG_TRACE, "%s: meta_back_getconn[%d]\n",
 						op->o_log_prefix, i, 0 );
 
 				} else {
@@ -1040,7 +1058,7 @@ meta_back_getconn(
 					candidates[ i ].sr_err = lerr;
 					err = lerr;
 
-					Debug( LDAP_DEBUG_ANY, "%s: meta_back_init_one_conn(%d) failed: %d\n",
+					Debug( LDAP_DEBUG_ANY, "%s: meta_back_getconn[%d] failed: %d\n",
 						op->o_log_prefix, i, lerr );
 
 					continue;