[Dovecot] ldap idle connection timeout in DoveCot 1.0.13?
Hi there,
We are using DoveCot 1.0.13, it connects to LDAP server for authentication. It seems that DoveCot keeps the idle LDAP connection open.
Our firewall is terminating these connections after some time of idle activity (2 hours), then, we run into authentication problem. If we restart either LDAP or DoveCot, then it is fine.
Can we set some kind of LDAP idle connection timeout in DoveCot? /etc/dovecot-ldap.conf. I do not see any configuration available for 1.0.13.
Another alternative is to set idle connection timeout in LDAP, but we prefer doing that in DoveCot.
Thanks, Yan
Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster@MedPlus.com). After replying, please erase it from your computer system.
On 11.4.2012, at 17.49, Zhou, Yan wrote:
We are using DoveCot 1.0.13, it connects to LDAP server for authentication. It seems that DoveCot keeps the idle LDAP connection open.
Yes.
Our firewall is terminating these connections after some time of idle activity (2 hours), then, we run into authentication problem. If we restart either LDAP or DoveCot, then it is fine.
Can we set some kind of LDAP idle connection timeout in DoveCot? /etc/dovecot-ldap.conf. I do not see any configuration available for 1.0.13.
No. But if you upgrade to a newer Dovecot (v2.x probably) this is solved by automatic transparent reconnection.
I had this problem running Dovecot 2.x where LDAP servers are located on another firewall zone, we use Juniper SSG550. The problem was that the firewall was dropping the ldap idle connections so client authentication was failing in dovecot for a while and after a time it reconnects, Dovecot/Openldap-Server never knows that the firewall has dropped the connection because this is the default, the firewall doesn't send TCP -Reset to the client and the server, in Juniper/Netscreen you can do a workaround to speed up the process by configuring the zone to send reset back to the client and the server. Check you have on the firewall:
set flow tcp-mss unset flow no-tcp-seq-check set flow tcp-syn-check unset flow tcp-syn-bit-check set flow reverse-route clear-text prefer set flow reverse-route tunnel always
Edit your zone and enable "If TCP non SYN, send RESET back" checkbox:
This fixed the delay for us, it would be a nice feature at dovecot side... best regards
El 11 de abril de 2012 11:36, Timo Sirainen tss@iki.fi escribió:
On 11.4.2012, at 17.49, Zhou, Yan wrote:
We are using DoveCot 1.0.13, it connects to LDAP server for authentication. It seems that DoveCot keeps the idle LDAP connection open.
Yes.
Our firewall is terminating these connections after some time of idle activity (2 hours), then, we run into authentication problem. If we restart either LDAP or DoveCot, then it is fine.
Can we set some kind of LDAP idle connection timeout in DoveCot? /etc/dovecot-ldap.conf. I do not see any configuration available for 1.0.13.
No. But if you upgrade to a newer Dovecot (v2.x probably) this is solved by automatic transparent reconnection.
participants (3)
-
Aliet Santiesteban Sifontes
-
Timo Sirainen
-
Zhou, Yan