logs archiveBotHelp.net / Freenode / #389 / 2015 / September / 2 / 1
Firstyear
nhosoi_: As you may have seen, I worked out the ASN issue and have a working control now.
richm
Firstyear: what was the problem?
nhosoi_
Firstyear: great progress!
Firstyear
I didn't know about implicit tags :)
Before last week I've never touched ASN at all, so I think I did pretty well
richm
Firstyear: yeah, ASN is pretty daunting
Firstyear: cheers!
Firstyear
It was a great learning experience, and plenty of people helped me with it.
richm
Now you're ready to debug wireshark LDAP BER traces :-)
Firstyear
nhosoi_: Once we are happy with it for lib389, I'll see about getting it into python-ldap
richm: I'm always up for a challenge ;)
nhosoi_: You'll be pleased to know I didn't dislocate any more fingers at judo either.
nhosoi_
Firstyear: so you recovered 100%?
Firstyear
nhosoi_: Well, my finger has.
nhosoi_: I rolled my ankle, and bruised my elbow and shoulder last night.
nhosoi_
Firstyear: glad to hear that!
oh, well...
Firstyear
Those don't affect my typing
nhosoi_
you read my mind... ;)
Firstyear
richm: http://luca.ntop.org/Teaching/Appunti/asn1.html <<-- was a good resource.
nhosoi_
but please take care...
Firstyear
Well, I'm now a quarter of the way to a blackbelt.
nhosoi_: Is there a way from the 389ds server to terminate a client connection?
nhosoi_
Firstyear: timeout?
set it very short?
Firstyear
The issue is that this client is making 3 million searches an hour, so I don't think a low timeout will help.
nhosoi_
hmmm...
Firstyear
Obviously, I need to fix the client, but they work in another department.
nhosoi_
Firstyear: we have these server disconnects... disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_ABORT, "A1" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_BAD_BER_TAG, "B1" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_BER_TOO_BIG, "B2" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_BER_PEEK, "B3" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_BER_FLUSH, "B4" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_IDLE_TIMEOUT, "T1" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_REVENTS, "R1" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_IO_TIMEOUT, "T2" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_PLUGIN, "P1" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_UNBIND, "U1" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_POLL, "P2" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_NTSSL_TIMEOUT,"T2" )
disconnect_error_strings.h:ER2( SLAPD_DISCONNECT_SASL_FAIL,"S1" )
but they are all "errors"...
io timeout and idle timeout are programable...
Firstyear
Hmmmm okay.
richm
you might be able to do something with iptables
Firstyear
I was thinking that might be what i have to do.
richm
but I don't know if you can use that to terminate already established connections
Firstyear
I was just looking for a cleaner way
If you do an iptables flush / reload, it drops connection state.
But that's not good ....
Or if I put in the drop, before the allow 389 and the allow related / established rule, that would work iirc.