[Dovecot] How to define ldap connection idle
Aliet Santiesteban Sifontes
alietsantiesteban at gmail.com
Tue Nov 8 04:41:12 EET 2011
We will try this as next step to find a workaround, the problem with client
idletimeout=5 mins in openldap server is that is a global server definition
and have the net effect of changing replication refreshAndPersit into type
refreshOnly which is not a welcome side effect, we will look other options,
still the better candidate is ldap_idle_disconnect in dovecot side or any
other kind of logic able to detect this kind of problems.
best regards
2011/11/7 Timo Sirainen <tss at iki.fi>
> If you set openldap server to close idle clients sooner than the
> connection itself is dropped by firewall (or whatever), then Dovecot
> sees the disconnection and won't hang. So you could try something like
> clientidletimeout=5 mins
>
> On Mon, 2011-11-07 at 18:02 -0500, Aliet Santiesteban Sifontes wrote:
> > We checked with the firewall admins and they can not change the drop
> > action, this model doesn't support reject, only drops, but for testing
> > they disabled the ldap protocol idle timeout wich was set to 30 mins
> > to never so the firewall never drops ldap idle connections, we also
> > verified the clientidletimeout option in Openldap but is set to 0 wich
> > means never close a idle connection. After testing again we see the
> > connection hanging again after user inactivity, we will keep looking
> > for other issues and maybe do some packet captures to see what is
> > really happening.
> > best regards, btw it would be great this ldap_idle_disconnect = 30s
> >
> > 2011/11/4 Timo Sirainen <tss at iki.fi>
> >
> > On Thu, 2011-11-03 at 11:52 -0400, Aliet Santiesteban Sifontes
> > wrote:
> > > I'm having a problem with dovecot ldap connection when ldap
> > server is in
> > > another firewall zone, firewall kills the ldap connection
> > after a
> > > determined period of inactivity, this is good from the
> > firewall point of
> > > view but is bad for dovecot because it never knows the
> > connections has been
> > > dropped, this creates longs timeouts in dovecot and finally
> > it reconnects,
> > > meanwhile many users fails to authenticate, I have seen this
> > kind of post
> > > in the list for a while but can't find a solution for it, so
> > my question is
> > > how to define a idle ldap time in dovecot so it can
> > reconnect before the
> > > firewall has dropped the connection or just close the
> > connection under
> > > inactivity so when a user authenticate doesn't fails for a
> > while until
> > > dovecot detects that the connection has hanged. Is this a
> > feature request
> > > or there is already a configuration for this???
> >
> >
> > Can't the firewall be changed to reject the LDAP packets
> > instead of
> > dropping them? Then Dovecot would immediately notice that the
> > connection
> > has died, and with a recent enough version it wouldn't even
> > log an error
> > about it.
> >
> > I guess some kind of an "ldap_idle_disconnect = 30s" setting
> > could be
> > added, but it's not a very high priority for me.
> >
> >
> >
>
>
>
More information about the dovecot
mailing list