[Dovecot] LDAP congestion
Bernhard Schmidt
berni at birkenwald.de
Tue Nov 6 11:38:14 EET 2012
Hello,
I've been asked to have a look at a misbehaving mail server of some
colleagues today where almost all logins where failing or excessively
delayed, while the LDAP database itself was pretty fast.
They run Dovecot 1.2.11 (yes, I know, stoneage) against an LDAP server
run by a 3rd party, auth_bind=yes (required). The problem is that this
third party LDAP server delays bindResponse 3 seconds when the password
is wrong. A user wanted to login every 2-3 seconds this morning with the
wrong password, which effectively killed the system because the LDAP
connection was mostly stalled waiting for the auth timeout.
>From a previous discussion with Timo I know that bindRequests cannot be
parallelized in LDAP, so the problem does not come completely
unexpected. Other than removing the failure delay in the LDAP server, is
there anything one can do? If there is any change in newer Dovecot
versions about that please tell me so I can encourage them to upgrade,
but I haven't seen anything in the changelog.
Any way to get several LDAP workers/connections for passdb in parallel?
Thanks,
Bernhard
More information about the dovecot
mailing list