[Dovecot] auth: Error: LDAP: Connection lost to LDAP server, reconnecting
Hello,
I continue debugging my problems with my update to dovecot 2.x :-(
I have dovecot 2.0.13 running in ubuntu 10.04 (lucid) x64. My users are in a ldap directory. The problem is that I have a lot of errors like:
Aug 24 23:07:32 myotis28 dovecot: auth-worker(default): LDAP: Connection lost to LDAP server, reconnecting
I have seen in the mail list a patch for 1.2 (http://hg.dovecot.org/dovecot-1.2/rev/355d5a40f7a7) to ignore these logs when the disconnection is because of idle timeouts. As far as I could see in this patch and 2.0.13 source code, this patch is already applied in 2.0. So I guess that the disconnection is for other problem, isn't it?
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337
On 25.8.2011, at 13.04, Angel L. Mateo wrote:
Aug 24 23:07:32 myotis28 dovecot: auth-worker(default): LDAP: Connection lost to LDAP server, reconnecting
I have seen in the mail list a patch for 1.2 (http://hg.dovecot.org/dovecot-1.2/rev/355d5a40f7a7) to ignore these logs when the disconnection is because of idle timeouts. As far as I could see in this patch and 2.0.13 source code, this patch is already applied in 2.0. So I guess that the disconnection is for other problem, isn't it?
I had completely forgotten I had added such a feature :) See what it logs with attached patch.
El 25/08/11 12:10, Timo Sirainen escribió:
On 25.8.2011, at 13.04, Angel L. Mateo wrote:
Aug 24 23:07:32 myotis28 dovecot: auth-worker(default): LDAP: Connection lost to LDAP server, reconnecting
I have seen in the mail list a patch for 1.2 (http://hg.dovecot.org/dovecot-1.2/rev/355d5a40f7a7) to ignore these logs when the disconnection is because of idle timeouts. As far as I could see in this patch and 2.0.13 source code, this patch is already applied in 2.0. So I guess that the disconnection is for other problem, isn't it?
I had completely forgotten I had added such a feature :) See what it logs with attached patch.
Hello,
I have found the problem. Is not a dovecot issue. The problem (if this is a problem) is that our ldap is behind a load balancer. This load balancer has a timeout of 3600s for ldap connections. If there is a connection with more than 3600s without activity, the load balancer close it, and this is the reason of the message.
Now I'm trying to find why dovecot has a ldap connection with inactivity.
One question, does auth process use more than one ldap connection? If it uses a pool is more reasonable, because we have auth cache enabled and now he have low activity, so it could be that a connection last more than 1 hour with activity, isn't it?
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337
El 25/08/11 12:10, Timo Sirainen escribió:
On 25.8.2011, at 13.04, Angel L. Mateo wrote:
Aug 24 23:07:32 myotis28 dovecot: auth-worker(default): LDAP: Connection lost to LDAP server, reconnecting
I have seen in the mail list a patch for 1.2 (http://hg.dovecot.org/dovecot-1.2/rev/355d5a40f7a7) to ignore these logs when the disconnection is because of idle timeouts. As far as I could see in this patch and 2.0.13 source code, this patch is already applied in 2.0. So I guess that the disconnection is for other problem, isn't it?
I had completely forgotten I had added such a feature :) See what it logs with attached patch.
I have tried the patch. It confirms my hypothesis, the connection is closed by my load balancer:
Aug 26 12:55:27 myotis31 dovecot: auth: Error: LDAP: Connection lost to LDAP server, reconnecting (1 requests, 3603 idle secs)
Is there any way to configure ldap connection with a keepalive, so I don't need a reconnection?
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337
On Fri, 2011-08-26 at 13:01 +0200, Angel L. Mateo wrote:
El 25/08/11 12:10, Timo Sirainen escribió:
On 25.8.2011, at 13.04, Angel L. Mateo wrote:
Aug 24 23:07:32 myotis28 dovecot: auth-worker(default): LDAP: Connection lost to LDAP server, reconnecting
I have seen in the mail list a patch for 1.2 (http://hg.dovecot.org/dovecot-1.2/rev/355d5a40f7a7) to ignore these logs when the disconnection is because of idle timeouts. As far as I could see in this patch and 2.0.13 source code, this patch is already applied in 2.0. So I guess that the disconnection is for other problem, isn't it?
I had completely forgotten I had added such a feature :) See what it logs with attached patch.
I have tried the patch. It confirms my hypothesis, the connection is closed by my load balancer:
Aug 26 12:55:27 myotis31 dovecot: auth: Error: LDAP: Connection lost to LDAP server, reconnecting (1 requests, 3603 idle secs)
Ah. So this is noticed only when Dovecot tries to use the LDAP connection that it's been disconnected.
Is there any way to configure ldap connection with a keepalive, so I don't need a reconnection?
Nope. But you could configure your LDAP server to idle-disconnect after some amount of time.
El 29/08/11 05:26, Timo Sirainen escribió:
On Fri, 2011-08-26 at 13:01 +0200, Angel L. Mateo wrote:
El 25/08/11 12:10, Timo Sirainen escribió:
On 25.8.2011, at 13.04, Angel L. Mateo wrote:
Aug 24 23:07:32 myotis28 dovecot: auth-worker(default): LDAP: Connection lost to LDAP server, reconnecting
I have seen in the mail list a patch for 1.2 (http://hg.dovecot.org/dovecot-1.2/rev/355d5a40f7a7) to ignore these logs when the disconnection is because of idle timeouts. As far as I could see in this patch and 2.0.13 source code, this patch is already applied in 2.0. So I guess that the disconnection is for other problem, isn't it?
I had completely forgotten I had added such a feature :) See what it logs with attached patch.
I have tried the patch. It confirms my hypothesis, the connection is closed by my load balancer:
Aug 26 12:55:27 myotis31 dovecot: auth: Error: LDAP: Connection lost to LDAP server, reconnecting (1 requests, 3603 idle secs)
Ah. So this is noticed only when Dovecot tries to use the LDAP connection that it's been disconnected.
Is there any way to configure ldap connection with a keepalive, so I don't need a reconnection?
Nope. But you could configure your LDAP server to idle-disconnect after some amount of time.
I know it, but configuring LDAP server does not resolve the problem, because the error (in fact it's just an informational message) still appears.
I think the solution is to configure the dovecot auth_cache_ttl to a value less than the idletimeout of the ldap server.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337
On Mon, 2011-08-29 at 11:44 +0200, Angel L. Mateo wrote:
Is there any way to configure ldap connection with a keepalive, so I don't need a reconnection?
Nope. But you could configure your LDAP server to idle-disconnect after some amount of time.
I know it, but configuring LDAP server does not resolve the problem, because the error (in fact it's just an informational message) still appears.
Why? If LDAP server idle-disconnects after 61 seconds and before NAT timeout then Dovecot doesn't log anything about it.
El 30/08/11 05:13, Timo Sirainen escribió:
On Mon, 2011-08-29 at 11:44 +0200, Angel L. Mateo wrote:
Is there any way to configure ldap connection with a keepalive, so I don't need a reconnection?
Nope. But you could configure your LDAP server to idle-disconnect after some amount of time.
I know it, but configuring LDAP server does not resolve the problem, because the error (in fact it's just an informational message) still appears.
Why? If LDAP server idle-disconnects after 61 seconds and before NAT timeout then Dovecot doesn't log anything about it.
I have tried this. My LDAP server closed the connection, but dovecot logged the message. I guess that, for dovecot, is the same situation: it has to auth a user, but it hasn't got any active connection to the ldap server.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337
On 30.8.2011, at 9.38, Angel L. Mateo wrote:
Why? If LDAP server idle-disconnects after 61 seconds and before NAT timeout then Dovecot doesn't log anything about it.
I have tried this. My LDAP server closed the connection, but dovecot logged the message. I guess that, for dovecot, is the same situation: it has to auth a user, but it hasn't got any active connection to the ldap server.
Yeah, that happens if the disconnection is noticed at the time when user is trying to authenticate. But if the disconnection is noticed immediately when there are no user requests, there is also no message logged about it.
El 30/08/11 11:41, Timo Sirainen escribió:
Yeah, that happens if the disconnection is noticed at the time when user is trying to authenticate. But if the disconnection is noticed immediately when there are no user requests, there is also no message logged about it.
So, there must be any problem, because when my load balancer expires the connection it closes the tcp connection (it sends a fin packet). I guess that slapd too. But I'll check this...
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337
El 31/08/11 08:54, Angel L. Mateo escribió:
El 30/08/11 11:41, Timo Sirainen escribió:
Yeah, that happens if the disconnection is noticed at the time when user is trying to authenticate. But if the disconnection is noticed immediately when there are no user requests, there is also no message logged about it.
So, there must be any problem, because when my load balancer expires the connection it closes the tcp connection (it sends a fin packet). I guess that slapd too. But I'll check this...
OK. You were right:When openldap closes the connection because of the idle timeout, it sends a FIN packet. When dovecot needs the connections, it simply opens a new connection (without any log message).
When my load balancer closes the connection, it doesn't send anything, so dovecot thinks the connection is active. So, when auth needs it, it tries to send the search, then load balancer sends a RST packet, so dovecot logs the message and opens a new connection.
So the solution is to configure oldap idletimeout parameter, dovecot auth_cache_ttl and load balancer timeout in order to avoid this last timeout to be reached.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337
El 31/08/11 12:31, Angel L. Mateo escribió:
When openldap closes the connection because of the idle timeout, it sends a FIN packet. When dovecot needs the connections, it simply opens a new connection (without any log message).
When my load balancer closes the connection, it doesn't send anything, so dovecot thinks the connection is active. So, when auth needs it, it tries to send the search, then load balancer sends a RST packet, so dovecot logs the message and opens a new connection.
So the solution is to configure oldap idletimeout parameter, dovecot auth_cache_ttl and load balancer timeout in order to avoid this last timeout to be reached.
In fact, you could configure dovecot auth_cache_ttl bigger than the other, it doesn't apply. You need to configure it only if you don't want the connection to be really closed. If you just want to not log any message, configuring slapd timeout less than load balancer timeout is enough.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337
participants (2)
-
Angel L. Mateo
-
Timo Sirainen