[Dovecot] LDAP congestion
Hello,
I've been asked to have a look at a misbehaving mail server of some colleagues today where almost all logins where failing or excessively delayed, while the LDAP database itself was pretty fast.
They run Dovecot 1.2.11 (yes, I know, stoneage) against an LDAP server run by a 3rd party, auth_bind=yes (required). The problem is that this third party LDAP server delays bindResponse 3 seconds when the password is wrong. A user wanted to login every 2-3 seconds this morning with the wrong password, which effectively killed the system because the LDAP connection was mostly stalled waiting for the auth timeout.
From a previous discussion with Timo I know that bindRequests cannot be parallelized in LDAP, so the problem does not come completely unexpected. Other than removing the failure delay in the LDAP server, is there anything one can do? If there is any change in newer Dovecot versions about that please tell me so I can encourage them to upgrade, but I haven't seen anything in the changelog.
Any way to get several LDAP workers/connections for passdb in parallel?
Thanks, Bernhard
On 6.11.2012, at 11.38, Bernhard Schmidt wrote:
I've been asked to have a look at a misbehaving mail server of some colleagues today where almost all logins where failing or excessively delayed, while the LDAP database itself was pretty fast.
They run Dovecot 1.2.11 (yes, I know, stoneage) against an LDAP server run by a 3rd party, auth_bind=yes (required). The problem is that this third party LDAP server delays bindResponse 3 seconds when the password is wrong. A user wanted to login every 2-3 seconds this morning with the wrong password, which effectively killed the system because the LDAP connection was mostly stalled waiting for the auth timeout.
From a previous discussion with Timo I know that bindRequests cannot be parallelized in LDAP, so the problem does not come completely unexpected. Other than removing the failure delay in the LDAP server, is there anything one can do? If there is any change in newer Dovecot versions about that please tell me so I can encourage them to upgrade, but I haven't seen anything in the changelog.
Any way to get several LDAP workers/connections for passdb in parallel?
Multiple LDAP connections is in TODO. The only alternative right is to use e.g. checkpassword backend that does the ldap lookup in a script.
participants (2)
-
Bernhard Schmidt
-
Timo Sirainen