Hello all,
I'm having an issue with the configuration of an OpenLDAP working as a proxy to various Active Directory backends. The OpenLDAP proxy is in our network
and we have various VPN to connect it to the remote Windows Domain Controllers (5 remote Domain Controlers of different customers, each one managing it's own domain).
To configure the proxy, we use de META database.
When all the Domain Controllers are up, everything works fine, but when one of then goes down (network problems, a machine reboot, etc.), the web app that uses the OpenLDAP proxy
stops autheticating all users of all domains. The system process it's even hanged and when you try to stop or restart the service,
it takes a long time to respond. I can't find a way to force a short timeout to ignore the offline DC and let the users of the other domains to continue working.
The server OS is CentOS Linux release 7.4.1708 (Core), and the OpenLDAP version 2.4.44.
To check if this is an issue of this old version, I have deployed another server with Fedora 30 and OpenLDAP 2.4.47, but same behaviour, so it's probably a configuration problem.
Below are the slapd.conf file I'm using (with no private data). Any ideas about what to change in the configuration file?
Thanks in advance and best regards, David.
Hello David,
you should try to configure some timeout to cut connections to failing AD. From "man slapd-meta" :
bind-timeout <microseconds>
This directive defines the timeout, in
microseconds, used when polling for response after an asynchronous
bind connection. The initial call to
ldap_result(3) is performed with a trade-off timeout
of 100000 us; if that results in a timeout exceeded, subsequent
calls use the value provided
with bind-timeout. The default value is used also
for subsequent calls if bind-timeout is not specified. If set
before any target specification,
it affects all targets, unless overridden by any
per-target directive.
idle-timeout <time>
This directive causes a cached connection to be
dropped an recreated after it has been idle for the specified
time. The value can be specified as
[<d>d][<h>h][<m>m][<s>[s]]
where <d>, <h>, <m> and
<s> are respectively treated as days, hours, minutes and
seconds. If set before any target specification, it affects all
targets, unless overridden by any per-target
directive.
keepalive <idle>:<probes>:<interval>
The keepalive parameter sets the values of idle,
probes, and interval used to check whether a socket is alive;
idle is the number of seconds a
connection needs to remain idle before TCP starts
sending keepalive probes; probes is the maximum number of
keepalive probes TCP should send before
dropping the connection; interval is interval in
seconds between individual keepalive probes. Only some systems
support the customization of these
values; the keepalive parameter is ignored
otherwise, and system-wide settings are used.
network-timeout <time>
Sets the network timeout value after which
poll(2)/select(2) following a connect(2) returns in case of no
activity. The value is in seconds, and it
can be specified as for idle-timeout. If set before
any target specification, it affects all targets, unless
overridden by any per-target
directive.
You can maybe give a try to "network-timeout" first.
-- Clément Oudot | Identity Solutions Manager clement.oudot@worteks.com Worteks | https://www.worteks.com