[Dovecot] How to define ldap connection idle

Aliet Santiesteban Sifontes alietsantiesteban at gmail.com
Tue Nov 8 01:02:23 EET 2011


We checked with the firewall admins and they can not change the drop
action, this model doesn't support reject, only drops, but for testing they
disabled the ldap protocol idle timeout wich was set to 30 mins to never so
the firewall never drops ldap idle connections, we also verified the
clientidletimeout option in Openldap but is set to 0 wich means never close
a idle connection. After testing again we see the connection hanging again
after user inactivity, we will keep looking for other issues and maybe do
some packet captures to see what is really happening.
best regards, btw it would be great this ldap_idle_disconnect = 30s

2011/11/4 Timo Sirainen <tss at iki.fi>

> On Thu, 2011-11-03 at 11:52 -0400, Aliet Santiesteban Sifontes wrote:
> > I'm having a problem with dovecot ldap connection when ldap server is in
> > another firewall zone, firewall kills the ldap connection after a
> > determined period of inactivity, this is good from the firewall point of
> > view but is bad for dovecot because it never knows the connections has
> been
> > dropped, this creates longs timeouts in dovecot and finally it
> reconnects,
> > meanwhile many users fails to authenticate, I have seen this kind of post
> > in the list for a while but can't find a solution for it, so my question
> is
> > how to define a idle ldap time in dovecot so it can reconnect before the
> > firewall has dropped the connection or just close the connection under
> > inactivity so when a user authenticate doesn't fails for a while until
> > dovecot detects that the connection has hanged. Is this a feature request
> > or there is already a configuration for this???
>
> Can't the firewall be changed to reject the LDAP packets instead of
> dropping them? Then Dovecot would immediately notice that the connection
> has died, and with a recent enough version it wouldn't even log an error
> about it.
>
> I guess some kind of an "ldap_idle_disconnect = 30s" setting could be
> added, but it's not a very high priority for me.
>
>
>


More information about the dovecot mailing list