[Dovecot] LDAP congestion

Timo Sirainen tss at iki.fi
Wed Nov 7 18:03:27 EET 2012


On 6.11.2012, at 11.38, Bernhard Schmidt wrote:

> I've been asked to have a look at a misbehaving mail server of some
> colleagues today where almost all logins where failing or excessively
> delayed, while the LDAP database itself was pretty fast.
> 
> They run Dovecot 1.2.11 (yes, I know, stoneage) against an LDAP server
> run by a 3rd party, auth_bind=yes (required). The problem is that this
> third party LDAP server delays bindResponse 3 seconds when the password
> is wrong. A user wanted to login every 2-3 seconds this morning with the
> wrong password, which effectively killed the system because the LDAP
> connection was mostly stalled waiting for the auth timeout.
> 
> From a previous discussion with Timo I know that bindRequests cannot be
> parallelized in LDAP, so the problem does not come completely
> unexpected. Other than removing the failure delay in the LDAP server, is
> there anything one can do? If there is any change in newer Dovecot
> versions about that please tell me so I can encourage them to upgrade,
> but I haven't seen anything in the changelog.
> 
> Any way to get several LDAP workers/connections for passdb in parallel?


Multiple LDAP connections is in TODO. The only alternative right is to use e.g. checkpassword backend that does the ldap lookup in a script.



More information about the dovecot mailing list