Sign in with
Sign up | Sign in
Your question

Active Directory multiple simultaneous binds on same ldap ..

Last response: in Windows 2000/NT
Share
Anonymous
January 13, 2005 10:08:34 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.active.directory.interfaces,microsoft.public.windows.server.active_directory (More info?)

Hi All,

We have a multithreaded application that may make simultaneous binds
[ldap_simple_bind] using the same ldap [not ADSI] connection to
authenticate users. We recently observed the following error in our
logs.

LdapErr: DSID-0C060454, comment: Only one outstanding bind per
connection allowed, data 0, v893

Has anybody seen this error before?

Is this documented somewhere? Is there a way to tune the number of
outstanding binds per connection.


I found the following article in the MS knowledge base that seems to
indicate that multiple binds on the same connection are allowed and
there was a bug fixed in that area.

http://support.microsoft.com/kb/289644/EN-US/


However I also found the following article in MSDN that states that
"Most LDAP calls are thread safe even when sharing the same connection
handle. The one exception is the LDAP bind. Do not attempt LDAP binds
simultaneously from two threads using the same connection."

http://msdn.microsoft.com/library/default.asp?url=/libr...



Can someone please clarify.

Thanks & Regards,
Pradnyesh Rane
Anonymous
January 14, 2005 2:39:17 AM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.active.directory.interfaces,microsoft.public.windows.server.active_directory (More info?)

Are you using Fast Concurrent Binding (LDAP_OPT_FAST_CONCURRENT_BIND)?

Joe K.

"Pradnyesh Rane" <pradnyesh@eudoramail.com> wrote in message
news:75211d2a.0501131908.30532556@posting.google.com...
> Hi All,
>
> We have a multithreaded application that may make simultaneous binds
> [ldap_simple_bind] using the same ldap [not ADSI] connection to
> authenticate users. We recently observed the following error in our
> logs.
>
> LdapErr: DSID-0C060454, comment: Only one outstanding bind per
> connection allowed, data 0, v893
>
> Has anybody seen this error before?
>
> Is this documented somewhere? Is there a way to tune the number of
> outstanding binds per connection.
>
>
> I found the following article in the MS knowledge base that seems to
> indicate that multiple binds on the same connection are allowed and
> there was a bug fixed in that area.
>
> http://support.microsoft.com/kb/289644/EN-US/
>
>
> However I also found the following article in MSDN that states that
> "Most LDAP calls are thread safe even when sharing the same connection
> handle. The one exception is the LDAP bind. Do not attempt LDAP binds
> simultaneously from two threads using the same connection."
>
> http://msdn.microsoft.com/library/default.asp?url=/libr...
>
>
>
> Can someone please clarify.
>
> Thanks & Regards,
> Pradnyesh Rane
Anonymous
January 14, 2005 5:14:44 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.active.directory.interfaces,microsoft.public.windows.server.active_directory (More info?)

We have not set the fast bind option since we are running against Active
Directory 2000. The fast bind option is only available on Active
Directory.NET [2003].

Thanks & Regards,
Pradnyesh

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:#18Fntf#EHA.4004@tk2msftngp13.phx.gbl...
> Are you using Fast Concurrent Binding (LDAP_OPT_FAST_CONCURRENT_BIND)?
>
> Joe K.
>
> "Pradnyesh Rane" <pradnyesh@eudoramail.com> wrote in message
> news:75211d2a.0501131908.30532556@posting.google.com...
> > Hi All,
> >
> > We have a multithreaded application that may make simultaneous binds
> > [ldap_simple_bind] using the same ldap [not ADSI] connection to
> > authenticate users. We recently observed the following error in our
> > logs.
> >
> > LdapErr: DSID-0C060454, comment: Only one outstanding bind per
> > connection allowed, data 0, v893
> >
> > Has anybody seen this error before?
> >
> > Is this documented somewhere? Is there a way to tune the number of
> > outstanding binds per connection.
> >
> >
> > I found the following article in the MS knowledge base that seems to
> > indicate that multiple binds on the same connection are allowed and
> > there was a bug fixed in that area.
> >
> > http://support.microsoft.com/kb/289644/EN-US/
> >
> >
> > However I also found the following article in MSDN that states that
> > "Most LDAP calls are thread safe even when sharing the same connection
> > handle. The one exception is the LDAP bind. Do not attempt LDAP binds
> > simultaneously from two threads using the same connection."
> >
> >
http://msdn.microsoft.com/library/default.asp?url=/libr...
ml/BuildingADApps.asp
> >
> >
> >
> > Can someone please clarify.
> >
> > Thanks & Regards,
> > Pradnyesh Rane
>
>
Related resources
Anonymous
January 14, 2005 8:23:12 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.active.directory.interfaces,microsoft.public.windows.server.active_directory (More info?)

My understanding is that you are only supposed to bind once per connection
unless you are using FCB under 2003. You might consider doing a new
connection for each bind or implementing some sort of pool if you are
worried about running out of TCP ports.

I'm not really the expert on this, so perhaps someone from MS will weigh in.

It sounds like you are trying to do authentication to AD. Have you
considered using the SSPI API instead? That's what its for.

Joe K.
"Pradnyesh Rane" <pradnyesh@eudoramail.com> wrote in message
news:eLeSr3o%23EHA.2316@TK2MSFTNGP15.phx.gbl...
> We have not set the fast bind option since we are running against Active
> Directory 2000. The fast bind option is only available on Active
> Directory.NET [2003].
>
> Thanks & Regards,
> Pradnyesh
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:#18Fntf#EHA.4004@tk2msftngp13.phx.gbl...
>> Are you using Fast Concurrent Binding (LDAP_OPT_FAST_CONCURRENT_BIND)?
>>
>> Joe K.
>>
>> "Pradnyesh Rane" <pradnyesh@eudoramail.com> wrote in message
>> news:75211d2a.0501131908.30532556@posting.google.com...
>> > Hi All,
>> >
>> > We have a multithreaded application that may make simultaneous binds
>> > [ldap_simple_bind] using the same ldap [not ADSI] connection to
>> > authenticate users. We recently observed the following error in our
>> > logs.
>> >
>> > LdapErr: DSID-0C060454, comment: Only one outstanding bind per
>> > connection allowed, data 0, v893
>> >
>> > Has anybody seen this error before?
>> >
>> > Is this documented somewhere? Is there a way to tune the number of
>> > outstanding binds per connection.
>> >
>> >
>> > I found the following article in the MS knowledge base that seems to
>> > indicate that multiple binds on the same connection are allowed and
>> > there was a bug fixed in that area.
>> >
>> > http://support.microsoft.com/kb/289644/EN-US/
>> >
>> >
>> > However I also found the following article in MSDN that states that
>> > "Most LDAP calls are thread safe even when sharing the same connection
>> > handle. The one exception is the LDAP bind. Do not attempt LDAP binds
>> > simultaneously from two threads using the same connection."
>> >
>> >
> http://msdn.microsoft.com/library/default.asp?url=/libr...
> ml/BuildingADApps.asp
>> >
>> >
>> >
>> > Can someone please clarify.
>> >
>> > Thanks & Regards,
>> > Pradnyesh Rane
>>
>>
>
>
Anonymous
January 14, 2005 10:31:40 PM

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.active.directory.interfaces,microsoft.public.windows.server.active_directory (More info?)

You can bind multiple times on a single connection, however, it is not thread
safe. All of the binds should be sent through a single thread in a consecutive
manner or multiple connections should be used with each sending binds
consecutively. You are changing the security context of the connection each time
you do it.

The LDAP_OPT_FAST_CONCURRENT_BIND supposedly will allow concurrent binds (hence
the name) however I haven't had a chance to try it out to say for sure; it is
interesting though that the online docs don't mention it as an exception to the
thread safeness of ldap_bind. Obviously if you are on Windows 2000 you can't use
that. It requires the Windows 2003 client and server sides.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Joe Kaplan (MVP - ADSI) wrote:
> My understanding is that you are only supposed to bind once per connection
> unless you are using FCB under 2003. You might consider doing a new
> connection for each bind or implementing some sort of pool if you are
> worried about running out of TCP ports.
>
> I'm not really the expert on this, so perhaps someone from MS will weigh in.
>
> It sounds like you are trying to do authentication to AD. Have you
> considered using the SSPI API instead? That's what its for.
>
> Joe K.
> "Pradnyesh Rane" <pradnyesh@eudoramail.com> wrote in message
> news:eLeSr3o%23EHA.2316@TK2MSFTNGP15.phx.gbl...
>
>>We have not set the fast bind option since we are running against Active
>>Directory 2000. The fast bind option is only available on Active
>>Directory.NET [2003].
>>
>>Thanks & Regards,
>>Pradnyesh
>>
>>"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
>>in message news:#18Fntf#EHA.4004@tk2msftngp13.phx.gbl...
>>
>>>Are you using Fast Concurrent Binding (LDAP_OPT_FAST_CONCURRENT_BIND)?
>>>
>>>Joe K.
>>>
>>>"Pradnyesh Rane" <pradnyesh@eudoramail.com> wrote in message
>>>news:75211d2a.0501131908.30532556@posting.google.com...
>>>
>>>>Hi All,
>>>>
>>>>We have a multithreaded application that may make simultaneous binds
>>>>[ldap_simple_bind] using the same ldap [not ADSI] connection to
>>>>authenticate users. We recently observed the following error in our
>>>>logs.
>>>>
>>>>LdapErr: DSID-0C060454, comment: Only one outstanding bind per
>>>>connection allowed, data 0, v893
>>>>
>>>>Has anybody seen this error before?
>>>>
>>>>Is this documented somewhere? Is there a way to tune the number of
>>>>outstanding binds per connection.
>>>>
>>>>
>>>>I found the following article in the MS knowledge base that seems to
>>>>indicate that multiple binds on the same connection are allowed and
>>>>there was a bug fixed in that area.
>>>>
>>>>http://support.microsoft.com/kb/289644/EN-US/
>>>>
>>>>
>>>>However I also found the following article in MSDN that states that
>>>>"Most LDAP calls are thread safe even when sharing the same connection
>>>>handle. The one exception is the LDAP bind. Do not attempt LDAP binds
>>>>simultaneously from two threads using the same connection."
>>>>
>>>>
>>
>>http://msdn.microsoft.com/library/default.asp?url=/libr...
>>ml/BuildingADApps.asp
>>
>>>>
>>>>
>>>>Can someone please clarify.
>>>>
>>>>Thanks & Regards,
>>>>Pradnyesh Rane
>>>
>>>
>>
>
>
!