Hi Timo,
On 03/01/2016 10:51 PM, Timo Sirainen wrote:
On 29 Feb 2016, at 17:18, Gordon Grubert gordon.grubert+lists@uni-greifswald.de wrote:
Hi,
we are using a round robin dns record for connections to our ldap system. This works fine for almost all cases. In particular, for dovecot does this mean, when an ldap server is stopped, dovecot instantly reconnects to another ldap server.
But when the network connection to the active ldap server is broken, dovecot sticks to the failed ldap server. Is there any possibility to define a connection timeout?
What should happen is that as long as new requests keep coming, Dovecot realizes after about 60 seconds that the LDAP server is hanging. It then reconnects and the reconnection should work. But... First of all, 60 seconds is likely a much too long timeout.
But more importantly it looks like there's something weird now going on with OpenLDAP library. I added this somewhat recently and tested that it works:
https://github.com/dovecot/core/commit/fb3178a1924dae52151d88c4d4ded879df43d...
thx a lot. I'll test this ASAP. IMHO, this will not really help, because the timeout is relevant when connecting to the LDAP server only and not for an active session, or?
But now that I'm testing it, the timeout doesn't seem to be triggering. I don't know what happened to it that it suddenly doesn't work.. This also means that OpenLDAP seems to be internally stuck trying to connect to a server that isn't responding. Dovecot doesn't currently make the decisions on which LDAP server to connect to. It just passes through all the hosts to OpenLDAP library and lets it handle it. And it seems like OpenLDAP library can't right now do this failover. So maybe Dovecot should be responsible for that as well..
You're right, that there are some modifications in the OpenLDAP client. In 2014, the option
BIND_POLICY
in ldap.conf still existed. The current version does not support this option :-(
Anyway, for now you could set up haproxy to localhost and configure Dovecot LDAP to connect to haproxy and haproxy connect to the actual LDAP servers.
I'll tke a look on it.
Thx and best regards, Gordon
-- Technischer Leiter & stellv. Direktor Universitätsrechenzentrum (URZ) E.-M.-Arndt-Universität Greifswald Felix-Hausdorff-Str. 12 17489 Greifswald Germany
Tel. +49 3834 86 1456 Fax. +49 3834 86 1401