Timout for LDAP connection

mj lists at merit.unu.edu
Fri Mar 11 09:10:58 UTC 2016 

Hi,

We're now running with ldap via haproxy, as was suggested in this thread 
by Timo. So far, so good: it seems to work very well.

MJ

On 03/10/2016 04:15 PM, Gordon Grubert wrote:
> Hi Timo,
>
> On 01.03.2016 22:51, Timo Sirainen wrote:
>> On 29 Feb 2016, at 17:18, Gordon Grubert
>> <gordon.grubert+lists at uni-greifswald.de> wrote:
>>>
>>> Hi,
>>>
>>> we are using a round robin dns record for connections to our ldap
>>> system. This works fine for almost all cases. In particular, for
>>> dovecot does this mean, when an ldap server is stopped, dovecot
>>> instantly reconnects to another ldap server.
>>>
>>> But when the network connection to the active ldap server is broken,
>>> dovecot sticks to the failed ldap server. Is there any possibility to
>>> define a connection timeout?
>>
>> What should happen is that as long as new requests keep coming,
>> Dovecot realizes after about 60 seconds that the LDAP server is
>> hanging. It then reconnects and the reconnection should work. But...
>> First of all, 60 seconds is likely a much too long timeout.
>>
>> But more importantly it looks like there's something weird now going
>> on with OpenLDAP library. I added this somewhat recently and tested
>> that it works:
>>
>> https://github.com/dovecot/core/commit/fb3178a1924dae52151d88c4d4ded879df43dd3f
>>
>>
>> But now that I'm testing it, the timeout doesn't seem to be
>> triggering. I don't know what happened to it that it suddenly doesn't
>> work.. This also means that OpenLDAP seems to be internally stuck
>> trying to connect to a server that isn't responding. Dovecot doesn't
>> currently make the decisions on which LDAP server to connect to. It
>> just passes through all the hosts to OpenLDAP library and lets it
>> handle it. And it seems like OpenLDAP library can't right now do this
>> failover. So maybe Dovecot should be responsible for that as well..
>>
>> Anyway, for now you could set up haproxy to localhost and configure
>> Dovecot LDAP to connect to haproxy and haproxy connect to the actual
>> LDAP servers.
>>
>
> today I've upgraded to 2.2.21-1~auto+171 on debian 8 and made a lot of
> "interruption tests". Your fix not really solved the problem.
>
> But I found another interesting fact: The openldap client on debian 8
> can handle hard communication interrupts correctly. I've added
>
> NETWORK_TIMEOUT 5
> TIMEOUT         5
>
> to ldap.conf because man 5 ldap.conf says:
>
> NETWORK_TIMEOUT <integer>
>     Specifies the timeout (in seconds) after which the poll(2)/select(2)
>     following a connect(2) returns in case of no activity.
>
> TIMEOUT <integer>
>     Specifies  a  timeout  (in  seconds)  after  which  calls to
>     synchronous LDAP APIs will abort if no response is received.  Also
>     used for any ldap_result(3) calls where a NULL timeout parameter is
>     supplied.
>
> We are using the ISC DHCP server with dynamic ldap connections. This
> daemon uses - like dovecot - the LDAP API of the openldap client for
> access to the ldap server. The DHCP opens a persistent ldap connection
> to handle all dhcp requests (same behavior like dovecot). Here, the
> timeouts for connection loss are working.
>
> Therefore, my question: Why does this not work for dovecot, too, when
> dovecot uses the same API? Dovecot does not get a response from the
> LDAP server and has to reconnect, only.
>
> IMAP server world domination requires a reconnect in case of connection
> timeouts ;-)
>
> Best regards,
> Gordon

More information about the dovecot mailing list