[Dovecot] dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server
Hi,
I'm new to the list; excuse me if this has been asked recently/before.
running: # dovecot --version 1.0.8
Output of dovecot -n:
base_dir: /var/run/dovecot protocols: none ssl_disable: yes login_dir: /var/run/dovecot/login login_executable: /usr/local/dovecot/libexec/dovecot/imap-login auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: ldap args: /usr/local/dovecot/etc/dovecot-ldap.conf userdb: driver: ldap args: /usr/local/dovecot/etc/dovecot-ldap.conf socket: type: listen client: path: /usr/local/postfix/spool/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot-auth-master mode: 438
Using dovecot only for the purpose of providing SMTP AUTH service for Postfix, using Active Directory (AD) as authentication source. As you can see from the config, connectivity between Dovecot and AD is implemented using LDAP.
Contents of /usr/local/dovecot/etc/dovecot-ldap.conf (some site-specific info masqueraded):
auth_bind = yes pass_filter = (sAMAccountName=%u) hosts = AD1.domain.com:3268 AD2.domain.com:3268 dn = CN=Service Account Postfix,OU=Services,DC=domain,DC=com dnpass = secret ldap_version = 3 base = DC=domain,DC=com scope = subtree
Now, this works fine and authentication via SMTP AUTH + Dovecot works perfect. Yet, every 15 minutes I get the following warning in the syslog logfile:
Dec 24 07:20:00 hostname dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server Dec 24 07:35:01 hostname dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server Dec 24 07:50:01 hostname dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server Dec 24 08:05:02 hostname dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server Dec 24 08:20:02 hostname dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server Dec 24 08:35:03 hostname dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server
I've looked through the archives and it seems that this problem is caused by the fact that Dovecot (using the OpenLDAP client libraries?) keeps the LDAP connection open; after (in our case) 15 minutes Active Directory closes the connection and Dovecot signals this in the syslog (and presumably automatically will create a new connection to AD).
I'm pretty sure that the OpenLDAP client libraries provide options to use a client-side timeout for LDAP connections. My questions are:
* is there a reason that Dovecot wants to keep the LDAP connection open?
* Will the new V1.1 version have a config parameter to set the LDAP
client timeout or a default timeout value to close the connection?
* If there's no 'fix' foreseen for V1.1, I'd like to file a request
to add such a parameter. How can I file such a request?
The warning is annoying; the sysadmin will create a filter, to filter the warning out from the syslog, but I'm afraid that if there's a real problem with authentication, that will be filtered too and the real problem is not noticed, before users start to complain.
/rolf
On Mon, 2007-12-24 at 10:45 +0100, Rolf E. Sonneveld wrote:
Dec 24 07:20:00 hostname dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server .. I've looked through the archives and it seems that this problem is caused by the fact that Dovecot (using the OpenLDAP client libraries?) keeps the LDAP connection open; after (in our case) 15 minutes Active Directory closes the connection and Dovecot signals this in the syslog (and presumably automatically will create a new connection to AD).
I'm pretty sure that the OpenLDAP client libraries provide options to use a client-side timeout for LDAP connections. My questions are:
* is there a reason that Dovecot wants to keep the LDAP connection open?
If there are no timeouts, there's not much point in wasting time and reconnecting for no reason.
* Will the new V1.1 version have a config parameter to set the LDAP client timeout or a default timeout value to close the connection?
No.
* If there's no 'fix' foreseen for V1.1, I'd like to file a request to add such a parameter. How can I file such a request?
How about this: http://hg.dovecot.org/dovecot/rev/ae0556fb268d
Timo Sirainen wrote:
On Mon, 2007-12-24 at 10:45 +0100, Rolf E. Sonneveld wrote:
Dec 24 07:20:00 hostname dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server
..
I've looked through the archives and it seems that this problem is caused by the fact that Dovecot (using the OpenLDAP client libraries?) keeps the LDAP connection open; after (in our case) 15 minutes Active Directory closes the connection and Dovecot signals this in the syslog (and presumably automatically will create a new connection to AD).
I'm pretty sure that the OpenLDAP client libraries provide options to use a client-side timeout for LDAP connections. My questions are:
* is there a reason that Dovecot wants to keep the LDAP connection open?
If there are no timeouts, there's not much point in wasting time and reconnecting for no reason.
There are all sorts of situations where timeouts will occur: load balancers, firewalls, etc. Furthermore, keeping connections open will require extra resources on both client- and server side; in large-scale environments this can lead to problems.
* Will the new V1.1 version have a config parameter to set the LDAP client timeout or a default timeout value to close the connection?
No.
* If there's no 'fix' foreseen for V1.1, I'd like to file a request to add such a parameter. How can I file such a request?
How about this: http://hg.dovecot.org/dovecot/rev/ae0556fb268d
I was very much surprised and pleased to see this! Thanks very much. Yet, IMHO having a configurable timeout with a decent default value would be my preference, given the issues I listed above.
Regards, /rolf
On Fri, 2007-12-28 at 21:19 +0100, Rolf E. Sonneveld wrote:
* is there a reason that Dovecot wants to keep the LDAP connection open?
If there are no timeouts, there's not much point in wasting time and reconnecting for no reason.
There are all sorts of situations where timeouts will occur: load balancers, firewalls, etc. Furthermore, keeping connections open will require extra resources on both client- and server side; in large-scale environments this can lead to problems.
In large scale environments I'd think there won't be much idle time for the connection to ever get disconnected. And you know it is only 1 or 2 connections per Dovecot server.
I don't know how much resources a connection takes from LDAP server side, but on client side it's pretty much nothing. It certainly would take a lot more CPU and network usage to disconnect when idling.
If enough people ask for a configurable timeout setting with good enough reasons I might add it, but I'm not yet convinced there's any point in having it.
participants (2)
-
Rolf E. Sonneveld
-
Timo Sirainen