[Dovecot] How to define ldap connection idle

Timo Sirainen tss at iki.fi
Tue Nov 8 01:11:02 EET 2011


If you set openldap server to close idle clients sooner than the
connection itself is dropped by firewall (or whatever), then Dovecot
sees the disconnection and won't hang. So you could try something like
clientidletimeout=5 mins

On Mon, 2011-11-07 at 18:02 -0500, Aliet Santiesteban Sifontes wrote:
> We checked with the firewall admins and they can not change the drop
> action, this model doesn't support reject, only drops, but for testing
> they disabled the ldap protocol idle timeout wich was set to 30 mins
> to never so the firewall never drops ldap idle connections, we also
> verified the clientidletimeout option in Openldap but is set to 0 wich
> means never close a idle connection. After testing again we see the
> connection hanging again after user inactivity, we will keep looking
> for other issues and maybe do some packet captures to see what is
> really happening.
> best regards, btw it would be great this ldap_idle_disconnect = 30s
> 
> 2011/11/4 Timo Sirainen <tss at iki.fi>
>         
>         On Thu, 2011-11-03 at 11:52 -0400, Aliet Santiesteban Sifontes
>         wrote:
>         > I'm having a problem with dovecot ldap connection when ldap
>         server is in
>         > another firewall zone, firewall kills the ldap connection
>         after a
>         > determined period of inactivity, this is good from the
>         firewall point of
>         > view but is bad for dovecot because it never knows the
>         connections has been
>         > dropped, this creates longs timeouts in dovecot and finally
>         it reconnects,
>         > meanwhile many users fails to authenticate, I have seen this
>         kind of post
>         > in the list for a while but can't find a solution for it, so
>         my question is
>         > how to define a idle ldap time in dovecot so it can
>         reconnect before the
>         > firewall has dropped the connection or just close the
>         connection under
>         > inactivity so when a user authenticate doesn't fails for a
>         while until
>         > dovecot detects that the connection has hanged. Is this a
>         feature request
>         > or there is already a configuration for this???
>         
>         
>         Can't the firewall be changed to reject the LDAP packets
>         instead of
>         dropping them? Then Dovecot would immediately notice that the
>         connection
>         has died, and with a recent enough version it wouldn't even
>         log an error
>         about it.
>         
>         I guess some kind of an "ldap_idle_disconnect = 30s" setting
>         could be
>         added, but it's not a very high priority for me.
>         
>         
> 





More information about the dovecot mailing list