[Dovecot] dovecot not reconnecting to ldap after ldap restart
I upgraded dovecot two weeks ago from 0.99.10-0.rc2 to 0.99.10.4-1woody1 (both from the woody backport packages from braincells.com).
Dovecot is using LDAP on a separate machine for authentication.
(through stunnel if it matters)
At 4:00 am, the LDAP server stops, dumps the ldap database, and then starts back up. Because the LDAP server is stopped, anyone who tries to authenticate during the few seconds will be denied. This isn't a big deal since it's 4:00 am. However, twice in the past two weeks, it appears that if dovecot can't connect to the LDAP server, it loses the ability until dovecot is restarted. It's only happened since I upgraded, and it's only happened twice, presumably when someone was trying to check their mail at the precise moment the LDAP server is down.
I get the following entry in mail.err:
Mar 30 04:00:18 akbar dovecot-auth: LDAP: ldap_result() failed: Can't contact LDAP server Mar 30 04:00:19 akbar dovecot-auth: LDAP: Can't connect to server: localhost Mar 30 04:00:50 akbar last message repeated 36 times . . .
The two times it has happened, ldap is responding properly (all other services we provide which use LDAP still work), stunnel on the dovecot machine is still running, and dovecot is still running, accepting IMAP and POP connections, but failing at the authentication phase.
Is there some change or bug in dovecot which would make this happen?
Or is there a problem with my set up?
Thanks in advance for any ideas.
-jared
On Tue, 30 Mar 2004, Jared wrote:
Is there some change or bug in dovecot which would make this happen? Or is there a problem with my set up?
More likely your setup I should think. Why are you using stunnel when Debians LDAP supports SSL/TLS natively?
-- Jaldhar H. Vyas jaldhar@debian.org La Salle Debain - http://www.braincells.com/debian/
I'm happy to accept suggestions about why my setup would cause this problem, but as I said, the only thing that has changed is the upgrade to dovecot. And both LDAP, and stunnel are working fine with all other services after the LDAP server is restarted.
It's been a while since I set everything up, but if I recall correctly,
we used stunnel for a couple reasons. The default ldap related woody
packages (at least when I set it up) did not have SSL/TLS compiled in.
I made my own ldap debs with SSL/TLS support, but we still had problems
with SSH using PAM and LDAP with SSL/TLS. The server would freeze. I
confirmed this bug with others. I've never had any problems with
stunnel.
Thanks,
-jared
On Mar 30, 2004, at 6:19 PM, Jaldhar H. Vyas wrote:
On Tue, 30 Mar 2004, Jared wrote:
Is there some change or bug in dovecot which would make this happen? Or is there a problem with my set up?
More likely your setup I should think. Why are you using stunnel when Debians LDAP supports SSL/TLS natively?
-- Jaldhar H. Vyas jaldhar@debian.org La Salle Debain - http://www.braincells.com/debian/
I've taken some time to try to reproduce my problem on my sandbox. I was able to consistently reproduce it...
In the following scenario: dovecot -> stunnel -> ldap server when the ldap server is restarted, dovecot can no longer connect to the LDAP server through stunnel.
When I have dovecot connect directly to the ldap server (without SSL/TLS) and restart the server, dovecot works properly. It can continue to authenticate when the LDAP server becomes available again.
So I'd like to try to not use stunnel with dovecot. But how do I configure dovecot-ldap.conf to connect directly to the LDAP server with SSL/TLS?
I've tried:
hosts = ldaps://ldap.server.com and hosts = ldap.server.com:636
But neither work.
I didn't see another directive to use to turn SSL/TLS on in the conf file or in the docs.
Thanks, -jared
On Mar 30, 2004, at 1:30 PM, Jared wrote:
I upgraded dovecot two weeks ago from 0.99.10-0.rc2 to 0.99.10.4-1woody1 (both from the woody backport packages from braincells.com).
Dovecot is using LDAP on a separate machine for authentication.
(through stunnel if it matters)At 4:00 am, the LDAP server stops, dumps the ldap database, and then starts back up. Because the LDAP server is stopped, anyone who tries to authenticate during the few seconds will be denied. This isn't a big deal since it's 4:00 am. However, twice in the past two weeks, it appears that if dovecot can't connect to the LDAP server, it loses the ability until dovecot is restarted. It's only happened since I upgraded, and it's only happened twice, presumably when someone was trying to check their mail at the precise moment the LDAP server is down.
I get the following entry in mail.err:
Mar 30 04:00:18 akbar dovecot-auth: LDAP: ldap_result() failed: Can't contact LDAP server Mar 30 04:00:19 akbar dovecot-auth: LDAP: Can't connect to server: localhost Mar 30 04:00:50 akbar last message repeated 36 times . . .
The two times it has happened, ldap is responding properly (all other services we provide which use LDAP still work), stunnel on the dovecot machine is still running, and dovecot is still running, accepting IMAP and POP connections, but failing at the authentication phase.
Is there some change or bug in dovecot which would make this happen?
Or is there a problem with my set up?Thanks in advance for any ideas.
-jared
On Fri Apr 2 18:17:50 2004 redjar at redjar.org (Jared) wrote:
[...]
So I'd like to try to not use stunnel with dovecot. But how do I configure dovecot-ldap.conf to connect directly to the LDAP server with SSL/TLS?
I've tried:
hosts = ldaps://ldap.server.com and hosts = ldap.server.com:636
But neither work.
I didn't see another directive to use to turn SSL/TLS on in the conf file or in the docs.
There is no way in current dovecot source. I hit the same issue when I tested dovecot. I'm attaching the patches that I have in my local pkgsrc tree.
What they do is:
Change default value for 'hosts' to NULL instead of 'localhost'. That way, libldap will choose the default list of server as specified in OpenLDAP's ldap.conf configuration file.
Add a new configuration stance, 'uris', which you can set to a list of URIs that will be passed directly to libldap, which understands them.
I hope the patches will be included in dovecot tree, however it might be best to fall back on 'hosts' value if using'uris' fails. In my patch, 'hosts' is ignored if 'uris' is filled in.
Quentin Garnier.
participants (3)
-
Jaldhar H. Vyas
-
Jared
-
Quentin Garnier