We will try this as next step to find a workaround, the problem with client idletimeout=5 mins in openldap server is that is a global server definition and have the net effect of changing replication refreshAndPersit into type refreshOnly which is not a welcome side effect, we will look other options, still the better candidate is ldap_idle_disconnect in dovecot side or any other kind of logic able to detect this kind of problems. best regards
2011/11/7 Timo Sirainen <tss@iki.fi>
If you set openldap server to close idle clients sooner than the connection itself is dropped by firewall (or whatever), then Dovecot sees the disconnection and won't hang. So you could try something like clientidletimeout=5 mins
On Mon, 2011-11-07 at 18:02 -0500, Aliet Santiesteban Sifontes wrote:
We checked with the firewall admins and they can not change the drop action, this model doesn't support reject, only drops, but for testing they disabled the ldap protocol idle timeout wich was set to 30 mins to never so the firewall never drops ldap idle connections, we also verified the clientidletimeout option in Openldap but is set to 0 wich means never close a idle connection. After testing again we see the connection hanging again after user inactivity, we will keep looking for other issues and maybe do some packet captures to see what is really happening. best regards, btw it would be great this ldap_idle_disconnect = 30s
2011/11/4 Timo Sirainen <tss@iki.fi>
On Thu, 2011-11-03 at 11:52 -0400, Aliet Santiesteban Sifontes wrote: > I'm having a problem with dovecot ldap connection when ldap server is in > another firewall zone, firewall kills the ldap connection after a > determined period of inactivity, this is good from the firewall point of > view but is bad for dovecot because it never knows the connections has been > dropped, this creates longs timeouts in dovecot and finally it reconnects, > meanwhile many users fails to authenticate, I have seen this kind of post > in the list for a while but can't find a solution for it, so my question is > how to define a idle ldap time in dovecot so it can reconnect before the > firewall has dropped the connection or just close the connection under > inactivity so when a user authenticate doesn't fails for a while until > dovecot detects that the connection has hanged. Is this a feature request > or there is already a configuration for this??? Can't the firewall be changed to reject the LDAP packets instead of dropping them? Then Dovecot would immediately notice that the connection has died, and with a recent enough version it wouldn't even log an error about it. I guess some kind of an "ldap_idle_disconnect = 30s" setting could be added, but it's not a very high priority for me.