Having done some more research, it appears that Active Directory also has some settings
that could result in disconnected connections. I experimented with idle-timeout set to 30
seconds for the LDAP databases, but this seemed to exacerbate the frequency of the errors.
The behaviour exhibits as 'dead' connections, and LDAP does not appear to attempt
to re-establish these connections. Using the CentOS distro of OpenLDAP 2.4.23
Here are the slapd.conf settings:
uri "ldap://IP1/ ldap://IP2/ ldap://3/ ldap://IPn/"
uri "ldap://IP11/ ldap://IP12/ ldap://13/ ldap://IP1n/"
I have some rewrite rules for bindDN, searchEntryDN, searchAttrDN, matchedDN, but I
don't believe these settings are relevant to the issue at hand.
Essentially I want the connections to be re-established without generating errors.
From: Bryce Powell
Sent: December 10, 2012 01:32 PM
Subject: LDAP database timeout settings
I have configured two LDAP backend databases, each pointing to a difference Active
Directory domain (multiple domain controllers specified per domain). After a period of
time after slapd starts, the ldap log file shows multiple entries like this for the
various connections (conns=nnnn):
Dec 10 13:18:03 vmxxxldap01 slapd: conn=1004 op=27 SEARCH RESULT tag=101 err=1
nentries=0 text=000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0, v1db1
Without going into too much detail regarding the configuration, I'm wondering if I
need to specify LDAP database configuration settings for:
This directive causes a cached connection to be dropped an recreated after
it has been idle for the specified time.
Sets the network timeout value after which poll(2)/select(2) following a
connect(2) returns in case of no activity. The value is in seconds, and it can be
specified as for idle-timeout.
I don't understand the explanation for network-timeout though, and am hoping someone
can kindly explain it in more detail, and suggest a scenario for its appropriate usage.
Also, when is it appropriate to use the ldap.conf NETWORK_TIMEOUT setting?
Specifies the timeout (in seconds) after which the poll(2)/select(2)
following a connect(2) returns in case of no activity.
Could someone please suggest the best approach for my use case? Of course, I might also
be completely off the mark here ...