Hi Folks !
We have few Weblogic Applications talking to Iplanet LDAP for Authentication.
Out LDAP Administrator complains that there are huge number of binds and there are NO corresponding unbinds. (50,000 binds/2000 unbinds). We do have that many authentications going through LDAP for sure. But question is, does every BIND need to UNBIND ? From what I have read, UNBIND is NOT opposite of BIND. It appears that UNBIND can be used when the client wants to close connection. But is it necessary?
Thanks for your input.
Does Every bind need to unbind ?
Moderator: Support
5 posts
• Page 1 of 1
Does Every bind need to unbind ?
by karunanidhis » Tue Oct 03, 2006 9:25 pm
- karunanidhis
- Posts: 3
- Joined: Tue Oct 03, 2006 7:27 pm
by Support » Wed Oct 04, 2006 8:27 am
If your application does not use 'connection pool' pattern, it's a really good idea to call UNBIND to free connection resources. However, as you noticed, UNBIND is not an opposite operation for BIND. So, if your application uses a connection pool there could be several BIND calls. It's used to change the security context of an LDAP operation to be executed.
- Support
- Posts: 896
- Joined: Sun Aug 12, 2001 12:00 am
by karunanidhis » Wed Oct 04, 2006 12:07 pm
Awesome !
Yes, My Applications use Connection Pool. So, I understand that this behavior is expected.
But is it really a concern for LDAP Administrators? They keep telling me that Every bind needs to unbind. They also tell me that my Applications make a bind but does nothing after the bind. It appears that my Applications authenticate the user first and then rebinds with the Security principal defined to connecto to LDAP to keep the connection Open. They are telling about performance hit on the LDAP and all. But common, 100,000 binds per day - is it really too high for LDAP? After all that's what Databases are supposed to handle, right ?
Thanks much for your input. It really helped a lot.
Yes, My Applications use Connection Pool. So, I understand that this behavior is expected.
But is it really a concern for LDAP Administrators? They keep telling me that Every bind needs to unbind. They also tell me that my Applications make a bind but does nothing after the bind. It appears that my Applications authenticate the user first and then rebinds with the Security principal defined to connecto to LDAP to keep the connection Open. They are telling about performance hit on the LDAP and all. But common, 100,000 binds per day - is it really too high for LDAP? After all that's what Databases are supposed to handle, right ?
Thanks much for your input. It really helped a lot.
- karunanidhis
- Posts: 3
- Joined: Tue Oct 03, 2006 7:27 pm
by Support » Wed Oct 04, 2006 12:50 pm
But question is, does every BIND need to UNBIND ?
There could be a scenario without bind at all. Suppose you read data from a public read-only server. In this case you don't need to send BIND at all, but should call UNBIND if you want to close the connection properly. So the answer for your question is obvious.
It appears that UNBIND can be used when the client wants to close connection.
Exactly.
Does your directory administrator have staticstics for the number of connection opened to the number of UNBINDs?
- Support
- Posts: 896
- Joined: Sun Aug 12, 2001 12:00 am
by karunanidhis » Wed Oct 04, 2006 2:19 pm
Hi !
Here are the stats:
Binds: 21503
Unbinds: 1295
Opened Connections: 2411
Cleanly Closed Connections:1295
So, it is clear that the client issues "unbind" when it needs to close the connection (that's why we have "cleanly closed connections = number of unbinds".
So, the way I understand this is, Since my Applications use connection Pools, they DO NOT want to issue an "Unbind" because unbind is going to close the connection (Socket). My Applications are going to keep the connections open and use the same connection for future "bind requests".
So, if my Applications are to issue Unbind for every Bind, we will see Binds=Unbinds, but we will also see Opened connections=Cleanly Closed connections=Binds=Unbinds(=21503) Correct? I think this is what will put excessive load on the LDAP Server (and not to mention the load on the Application), because it opens a new connection for every Bind. So I really want to say using Connection Pools (and hence not issuing unbind) increases performance.
Essentialy,my LDAP Administrators are concerned that they are seeing large number of binds without unbinds. Should they really be concerned ?
They are saying this will choke up the LDAP Server and consume all the resources.
Here are the stats:
Binds: 21503
Unbinds: 1295
Opened Connections: 2411
Cleanly Closed Connections:1295
So, it is clear that the client issues "unbind" when it needs to close the connection (that's why we have "cleanly closed connections = number of unbinds".
So, the way I understand this is, Since my Applications use connection Pools, they DO NOT want to issue an "Unbind" because unbind is going to close the connection (Socket). My Applications are going to keep the connections open and use the same connection for future "bind requests".
So, if my Applications are to issue Unbind for every Bind, we will see Binds=Unbinds, but we will also see Opened connections=Cleanly Closed connections=Binds=Unbinds(=21503) Correct? I think this is what will put excessive load on the LDAP Server (and not to mention the load on the Application), because it opens a new connection for every Bind. So I really want to say using Connection Pools (and hence not issuing unbind) increases performance.
Essentialy,my LDAP Administrators are concerned that they are seeing large number of binds without unbinds. Should they really be concerned ?
They are saying this will choke up the LDAP Server and consume all the resources.
- karunanidhis
- Posts: 3
- Joined: Tue Oct 03, 2006 7:27 pm
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests
