Timout for LDAP connection

Timo Sirainen tss at iki.fi
Fri Mar 11 19:45:54 UTC 2016 

On 11 Mar 2016, at 04:15, Gordon Grubert <gordon.grubert+lists at uni-greifswald.de> wrote:
> 
> But I found another interesting fact: The openldap client on debian 8
> can handle hard communication interrupts correctly. I've added
> 
> NETWORK_TIMEOUT 5
> TIMEOUT         5
> 
> to ldap.conf because man 5 ldap.conf says:
> 
> NETWORK_TIMEOUT <integer>
>   Specifies the timeout (in seconds) after which the poll(2)/select(2)
>   following a connect(2) returns in case of no activity.
> 
> TIMEOUT <integer>
>   Specifies  a  timeout  (in  seconds)  after  which  calls to
>   synchronous LDAP APIs will abort if no response is received.  Also
>   used for any ldap_result(3) calls where a NULL timeout parameter is
>   supplied.

Dovecot doesn't use any synchronous openldap calls, so according to these manual pages the above settings are ignored by openldap library with Dovecot.

> We are using the ISC DHCP server with dynamic ldap connections. This
> daemon uses - like dovecot - the LDAP API of the openldap client for
> access to the ldap server. The DHCP opens a persistent ldap connection
> to handle all dhcp requests (same behavior like dovecot). Here, the
> timeouts for connection loss are working.
> 
> Therefore, my question: Why does this not work for dovecot, too, when
> dovecot uses the same API? Dovecot does not get a response from the
> LDAP server and has to reconnect, only.

I bet ISC DHCP uses synchronous openldap calls.

Dovecot can't also do the timeout handling internally, because it can only abort the entire openldap connect call. Dovecot can't tell openldap to connect to the next server. The only solution I can think of is that Dovecot doesn't let openldap do the multi-server connection handling, but instead have Dovecot create a separate openldap instance for each server and manage the connections + timeouts internally. But that's a lot of work..

Actually, a workaround might be to do synchronous binding. I'd rather not change Dovecot to do this by default, because it hangs the entire auth process while it's binding. But SASL authentication has no async API in openldap, so by enabling it you'll get synchronous authentication which will probably apply openldap's internally configured timeouts. Maybe you can get it working with:

sasl_bind = yes
sasl_mech = PLAIN

More information about the dovecot mailing list