https://bugs.openldap.org/show_bug.cgi?id=9829
Issue ID: 9829 Summary: set timeouts in remoteauth overlay Product: OpenLDAP Version: 2.5.11 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: david.coutadeur@gmail.com Target Milestone: ---
Currently, it seems there is no way to configure timeouts in the remoteauth overlay.
For example, if I define a remoteauth_mapping with a file containing a list of hostnames, the first one is checked first.
After "remoteauth_retry_count" * "connect_timeout" seconds, (210s on my system), remoteauth test the second server in the list.
In some circumstances, it could be nice to set the connect timeout lower (or higher).
https://bugs.openldap.org/show_bug.cgi?id=9829
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- On Thu, Apr 21, 2022 at 02:57:23PM +0000, openldap-its@openldap.org wrote:
Currently, it seems there is no way to configure timeouts in the remoteauth overlay.
For example, if I define a remoteauth_mapping with a file containing a list of hostnames, the first one is checked first.
After "remoteauth_retry_count" * "connect_timeout" seconds, (210s on my system), remoteauth test the second server in the list.
In some circumstances, it could be nice to set the connect timeout lower (or higher).
Hi David, you'll have to be more specific about how you propose this to actually behave because in my view that's not obvious from your description.
https://bugs.openldap.org/show_bug.cgi?id=9829
--- Comment #2 from David Coutadeur david.coutadeur@gmail.com ---
Hi Ondrej,
I had no precise idea for the implementation, but in a first time we could just define a global "remoteauth_connect_timeout" parameter in the configuration, and when defined, it would run a:
ldap_set_option( ld, LDAP_OPT_NETWORK_TIMEOUT, &timeout );
Setting a connect timeout per remote server seems a little overkill I think.
Regards
https://bugs.openldap.org/show_bug.cgi?id=9829
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.7.0 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=9829
--- Comment #3 from Howard Chu hyc@openldap.org --- Would make more sense to rewrite remoteauth config & connection code to use slapd's bindconf_parse() and slap_client_connect(), which already handles all the timeout parameters.
Patch welcome.
https://bugs.openldap.org/show_bug.cgi?id=9829
--- Comment #4 from slash@aceslash.net --- Hello,
I have also been bitten by this. This can actually create a situation where the whole server is unresponsive: if a remote system is down, all connections trying to use the remoteauth overlay will have to wait until the timeout (more than 2 minutes on my test system).
This situation can escalate quickly and block all connections on an OpenLDAP server, even the ones that don't use remoteauth.
I'm talking from experience here: both Active Directory servers were unavailable and it basically killed the whole OpenLDAP cluster for us.
The fix was to replace the addresses of the remote ADs with IPs that were responding, but had no LDAP port open, in this case the operation returns instantly.
https://bugs.openldap.org/show_bug.cgi?id=9829
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement
-
openldap-its@openldap.org