[Dovecot] behavior of dovecot with Openldap
Dear team,
I'm sorry if this is a stupid question, but I'd like to know the behavior of dovecot in a particular stuation. My questions are as follows.
In /etc/dovecot-ldap.conf, 'hosts=' field is the one which can be used to specify availabled ldap server to access from the clients to authorize. And also sevral ldap servers can be specified in 'hosts =' field as shown like below.
hosts = ldap-server1.example.com ldap-server2.example.com
※both server have the same configuration and available to replication ldap-server1(master) to ldap-server2(slave).
If this is right, how does dovecot know which ldap server is currently used? and if the master dies, how does dovecot know and switch to slave one? In addition, which one is the exact behavior of dovecot in case master server dies?
- only swithcing to the slave server
- switching to the slave server, and once the master server is reactive then switch back to the master server automatically
OS:RHEL4 U3 kernel 2.6.9-34.ELsmp openldap-2.2.13-12.el4
Thanks in advance,
Masaharu Kawada
Masaharu Kawada Associate Global Support Engineer Red Hat K K Ebisu Neonato 8F 1-18 Ebisu 4-chome, Shibuya-ku Tokyo 150-0013, Japan Direct: +81-3-5798-8482
On Jan 19, 2009, at 3:04 AM, Masaharu Kawada wrote:
In /etc/dovecot-ldap.conf, 'hosts=' field is the one which can be used to specify availabled ldap server to access from the clients to
authorize. And also sevral ldap servers can be specified in 'hosts =' field as
shown like below.hosts = ldap-server1.example.com ldap-server2.example.com
Dovecot simply passes these servers to the OpenLDAP library. It
doesn't do anything with them itself.
※both server have the same configuration and available to
replication ldap-server1(master) to ldap-server2(slave).If this is right, how does dovecot know which ldap server is
currently used? and if the master dies, how does dovecot know and switch to slave one?
I'm pretty sure that configuration will simply use both the servers
all the time more or less randomly. Unless OpenLDAP library has some
code that does something similar to what you're talking about, but
somehow I doubt that.
Dear list,
Thank you very much for your quick answer.
This question is actually due to a phenomenon that the customer got about a month ago. For the detail of the phenomenon, please see bellow.
-2008/11/16 The customer updated openldap package openldap-2.2.13-6.4E ⇒ openldap-2.2.13-12.el4
-2008/12/22 A problem happened, which doesn't need to be investigated this time, to the ldap server(server1), so that ldap service on server1 is temporary stopped and restarted.
-2008/01/06 The customer rearized that authorize requests by dovecot clients was all failed, and to know the reason the customer did some investigation. As a result, it was because of that dovecot accessed to only another server(server2) to authorize and server2 had not been replicated any data from server1 since 2008/11/16 which was shown by the replication log on server2(the last update was 2008/11/16). The server2 was supposed to have the same data as server1's which was latest data at that time by replication.
For this reason, the customer wants to know why dovecot accessed only server2 since ldap package was updated on 2008/11/16 and also wants to know why replication had been failed after updating the package. However, since the customer is not able to provide ehough information for this phenomenon because of their security policy, the customer said that only he wants to know this time is what the trigger to switch to another ldap server(between server1 and server2) and the way to specify which ldap server to access from the client as he wants if possible, or the specification of dovecot for accessing ldap servers in case there are more than one ldap servers pointed on 'hosts=' field in /etc/dovecot-ldap.conf
As you said, if both ldap servers are used ramdomly, it seems to be unusuall action that authorize request is failed all the time, it should be at least successful when authorizing by server1 since server1 has no problems after rebooting ldap service on 2008/12/22. I'm afraid, anything else that might be help or useful info to know the specification of dovecot?
Thanks,
Timo Sirainen さんは書きました:
On Jan 19, 2009, at 3:04 AM, Masaharu Kawada wrote:
In /etc/dovecot-ldap.conf, 'hosts=' field is the one which can be used to specify availabled ldap server to access from the clients to
authorize. And also sevral ldap servers can be specified in 'hosts =' field as
shown like below.hosts = ldap-server1.example.com ldap-server2.example.com
Dovecot simply passes these servers to the OpenLDAP library. It
doesn't do anything with them itself.※both server have the same configuration and available to
replication ldap-server1(master) to ldap-server2(slave).If this is right, how does dovecot know which ldap server is
currently used? and if the master dies, how does dovecot know and switch to slave one?I'm pretty sure that configuration will simply use both the servers
all the time more or less randomly. Unless OpenLDAP library has some
code that does something similar to what you're talking about, but
somehow I doubt that.
--
Masaharu Kawada Associate Global Support Engineer Red Hat K K Ebisu Neonato 8F 1-18 Ebisu 4-chome, Shibuya-ku Tokyo 150-0013, Japan Direct: +81-3-5798-8482
Masaharu Kawada a écrit :
I'm pretty sure that configuration will simply use both the servers
all the time more or less randomly. Unless OpenLDAP library has some
code that does something similar to what you're talking about, but
somehow I doubt that. Here we use "uris" parameter instead of "hosts", and we seems to have expected behaviour: dovecot is always using the first listed uri except if it doesn't respond (switch to the second)
We can check it simply: first listed server have more than 200 simultaneous connexions daily, 2nd have only one per slave (replication thread)
(we use the slave as first uri)
Hope this helps.
Geoffroy Desvernay
El Martes, 20 de Enero de 2009 a las 08:47, geoffroy desvernay escribió:
Here we use "uris" parameter instead of "hosts", and we seems to have expected behaviour: dovecot is always using the first listed uri except if it doesn't respond (switch to the second)
Same experience here (RHEL4 and several dovecot versions). Dovecot only uses the 1st ldap server in the uris variable, and only tries the other ones when this doesn't respond: we've had some problems with the primary server taking like 1 minute for each answer and dovecot didn't switch to the next one.
-- Joseba Torre. CIDIR Bizkaia.
Hello,
Thank you very much for your respons.
I have been keeping this thread on the latest mail sent by Timo-san.
Regards,
Masaharu Kawada
Joseba Torre wrote:
El Martes, 20 de Enero de 2009 a las 08:47, geoffroy desvernay escribió:
Here we use "uris" parameter instead of "hosts", and we seems to have expected behaviour: dovecot is always using the first listed uri except if it doesn't respond (switch to the second)
Same experience here (RHEL4 and several dovecot versions). Dovecot only uses the 1st ldap server in the uris variable, and only tries the other ones when this doesn't respond: we've had some problems with the primary server taking like 1 minute for each answer and dovecot didn't switch to the next one.
--
Masaharu Kawada Associate Global Support Engineer Red Hat K K Ebisu Neonato 8F 1-18 Ebisu 4-chome, Shibuya-ku Tokyo 150-0013, Japan Direct: +81-3-5798-8482
Hello,
Thank you very much for your respons.
I have been keeping this thread on the latest mail sent by Timo-san.
Regards,
Masaharu Kawada
geoffroy desvernay wrote:
Masaharu Kawada a écrit :
I'm pretty sure that configuration will simply use both the servers
all the time more or less randomly. Unless OpenLDAP library has some
code that does something similar to what you're talking about, but
somehow I doubt that.Here we use "uris" parameter instead of "hosts", and we seems to have expected behaviour: dovecot is always using the first listed uri except if it doesn't respond (switch to the second)
We can check it simply: first listed server have more than 200 simultaneous connexions daily, 2nd have only one per slave (replication thread)
(we use the slave as first uri)
Hope this helps.
--
Masaharu Kawada Associate Global Support Engineer Red Hat K K Ebisu Neonato 8F 1-18 Ebisu 4-chome, Shibuya-ku Tokyo 150-0013, Japan Direct: +81-3-5798-8482
On Tue, 2009-01-20 at 13:53 +0900, Masaharu Kawada wrote:
-2008/11/16 The customer updated openldap package openldap-2.2.13-6.4E ⇒ openldap-2.2.13-12.el4 .. For this reason, the customer wants to know why dovecot accessed only server2 since ldap package was updated on 2008/11/16 and also wants to know why replication had been failed after updating the package.
Any idea what Dovecot version? rhel4 had 1.0.rc15 I think? I know there were some LDAP bugs in it, but I don't really remember anymore. Did Dovecot really try to access the server2, or was it simply unable to reconnect to the LDAP server at all? If the latter, it's probably just rc15 bug.
As you said, if both ldap servers are used ramdomly,
That was only a guess. If the problem was with reconnection, it is (was) a Dovecot bug. If the problem is something else, it's because of OpenLDAP library which I don't really know much about.
Dear all,
Thank you very much for your help.
Any idea what Dovecot version? rhel4 had 1.0.rc15 I think? I know there were some LDAP bugs in it, but I don't really remember anymore. Did Dovecot really try to access the server2, or was it simply unable to reconnect to the LDAP server at all? If the latter, it's probably just rc15 bug.
Since the customer has been using RHEL4.3, Dovecot version should be something in between dovecot-0.99.11-2.EL4.1 and 0.99.11-9.EL4. These are all for RHEL4. I'm sorry that I have not been provided the version.
Yes, after server1 being unable to respond, Dovecotwas accessing to the server2. In addition, although, the server1 was re-starting ldap service which means that server1 should have been available to respond, Dovecot was still accessing to the server2. Shouldn't Dovecot reconnection to the server1 as its service become available?
All I would like to know right now are that is as follows.
- About the specification of dovecot for reconnection
In case Dovecot switch to server2 due to server1 gets some problems such as service down, does the server2 never reconnect to the server1 even the server1 become available to respond again? Even if so, is it sure that if the server2 is down, then does Dovecot normally try to connect to the server1?
- Configuration by 'hosts' and 'uris' parameter in dovecot-ldap.conf
Is there any differences for the way to reconnectionś behavior between those parameter? I believe that both parameter can specify sevral ldap server, then I would like to know whether each parameter does the action for reconnection in the same way.
Thanks,
Masaharu Kawada
Timo Sirainen wrote:
On Tue, 2009-01-20 at 13:53 +0900, Masaharu Kawada wrote:
-2008/11/16 The customer updated openldap package openldap-2.2.13-6.4E ⇒ openldap-2.2.13-12.el4
..
For this reason, the customer wants to know why dovecot accessed only server2 since ldap package was updated on 2008/11/16 and also wants to know why replication had been failed after updating the package.
Any idea what Dovecot version? rhel4 had 1.0.rc15 I think? I know there were some LDAP bugs in it, but I don't really remember anymore. Did Dovecot really try to access the server2, or was it simply unable to reconnect to the LDAP server at all? If the latter, it's probably just rc15 bug.
As you said, if both ldap servers are used ramdomly,
That was only a guess. If the problem was with reconnection, it is (was) a Dovecot bug. If the problem is something else, it's because of OpenLDAP library which I don't really know much about.
--
Masaharu Kawada Associate Global Support Engineer Red Hat K K Ebisu Neonato 8F 1-18 Ebisu 4-chome, Shibuya-ku Tokyo 150-0013, Japan Direct: +81-3-5798-8482
On 1/23/2009, Masaharu Kawada (mkawada@redhat.com) wrote:
Since the customer has been using RHEL4.3, Dovecot version should be something in between dovecot-0.99.11-2.EL4.1 and 0.99.11-9.EL4. These are all for RHEL4. I'm sorry that I have not been provided the version.
Well, you need to find out... if they are still on any 0.99 version, further troubleshooting is pointless (imho) until they are upgraded...
--
Best regards,
Charles
On Fri, 2009-01-23 at 15:17 +0900, Masaharu Kawada wrote:
Any idea what Dovecot version? rhel4 had 1.0.rc15 I think? I know there were some LDAP bugs in it, but I don't really remember anymore. Did Dovecot really try to access the server2, or was it simply unable to reconnect to the LDAP server at all? If the latter, it's probably just rc15 bug.
Since the customer has been using RHEL4.3, Dovecot version should be something in between dovecot-0.99.11-2.EL4.1 and 0.99.11-9.EL4. These are all for RHEL4. I'm sorry that I have not been provided the version.
Like Charles said, from my point of view v0.99 is dead and buried. It's simply too old version to waste any time on its bugs.
- About the specification of dovecot for reconnection
In case Dovecot switch to server2 due to server1 gets some problems such as service down, does the server2 never reconnect to the server1 even the server1 become available to respond again? Even if so, is it sure that if the server2 is down, then does Dovecot normally try to connect to the server1?
All of this is handled by OpenLDAP library internally and I don't know how it works. But my GUESS is that it always simply connects to the first working server and never disconnects from it by itself.
- Configuration by 'hosts' and 'uris' parameter in dovecot-ldap.conf
Is there any differences for the way to reconnectionś behavior between those parameter? I believe that both parameter can specify sevral ldap server, then I would like to know whether each parameter does the action for reconnection in the same way.
Again this is handled by OpenLDAP internally. And again my GUESS is that there's no difference between their reconnection handling.
Dear all,
Thank you very much for your time and your big help.
I really appreciated all of you.
Best Regards,
Masaharu Kawada
Timo Sirainen wrote:
On Fri, 2009-01-23 at 15:17 +0900, Masaharu Kawada wrote:
Any idea what Dovecot version? rhel4 had 1.0.rc15 I think? I know there were some LDAP bugs in it, but I don't really remember anymore. Did Dovecot really try to access the server2, or was it simply unable to reconnect to the LDAP server at all? If the latter, it's probably just rc15 bug.
Since the customer has been using RHEL4.3, Dovecot version should be something in between dovecot-0.99.11-2.EL4.1 and 0.99.11-9.EL4. These are all for RHEL4. I'm sorry that I have not been provided the version.
Like Charles said, from my point of view v0.99 is dead and buried. It's simply too old version to waste any time on its bugs.
- About the specification of dovecot for reconnection
In case Dovecot switch to server2 due to server1 gets some problems such as service down, does the server2 never reconnect to the server1 even the server1 become available to respond again? Even if so, is it sure that if the server2 is down, then does Dovecot normally try to connect to the server1?
All of this is handled by OpenLDAP library internally and I don't know how it works. But my GUESS is that it always simply connects to the first working server and never disconnects from it by itself.
- Configuration by 'hosts' and 'uris' parameter in dovecot-ldap.conf
Is there any differences for the way to reconnectionś behavior between those parameter? I believe that both parameter can specify sevral ldap server, then I would like to know whether each parameter does the action for reconnection in the same way.
Again this is handled by OpenLDAP internally. And again my GUESS is that there's no difference between their reconnection handling.
--
Masaharu Kawada Associate Global Support Engineer Red Hat K K Ebisu Neonato 8F 1-18 Ebisu 4-chome, Shibuya-ku Tokyo 150-0013, Japan Direct: +81-3-5798-8482
participants (5)
-
Charles Marcus
-
geoffroy desvernay
-
Joseba Torre
-
Masaharu Kawada
-
Timo Sirainen