Le 09/05/2019 à 12:10, David Sanchez Herrero a écrit :
Hello all,

I'm having an issue with the configuration of an OpenLDAP working as a proxy to various Active Directory backends. The OpenLDAP proxy is in our network
and we have various VPN to connect it to the remote Windows Domain Controllers (5 remote Domain Controlers of different customers, each one managing it's own domain).

To configure the proxy, we use de META database.

When all the Domain Controllers are up, everything works fine, but when one of then goes down (network problems, a machine reboot, etc.), the web app that uses the OpenLDAP proxy
stops autheticating all users of all domains. The system process it's even hanged and when you try to stop or restart the service,
it takes a long time to respond. I can't find a way to force a short timeout to ignore the offline DC and let the users of the other domains to continue working.

The server OS is CentOS Linux release 7.4.1708 (Core), and the OpenLDAP version 2.4.44.

To check if this is an issue of this old version, I have deployed another server with Fedora 30 and OpenLDAP 2.4.47, but same behaviour, so it's probably a configuration problem.

Below are the slapd.conf file I'm using (with no private data). Any ideas about what to change in the configuration file?

Thanks in advance and best regards, David.

Hello David,

you should try to configure some timeout to cut connections to failing AD. From "man slapd-meta" :

       bind-timeout <microseconds>
              This  directive  defines  the  timeout,  in microseconds, used when polling for response after an asynchronous bind connection.  The initial call to
              ldap_result(3) is performed with a trade-off timeout of 100000 us; if that results in a timeout exceeded, subsequent calls use  the  value  provided
              with  bind-timeout.   The default value is used also for subsequent calls if bind-timeout is not specified.  If set before any target specification,
              it affects all targets, unless overridden by any per-target directive.

       idle-timeout <time>
              This directive causes a cached connection to be dropped an recreated after it has been idle for the specified time.  The value can be specified as


              where  <d>,  <h>,  <m> and <s> are respectively treated as days, hours, minutes and seconds.  If set before any target specification, it affects all
              targets, unless overridden by any per-target directive.

       keepalive <idle>:<probes>:<interval>
              The keepalive parameter sets the values of idle, probes, and interval used to check whether a socket is alive; idle  is  the  number  of  seconds  a
              connection  needs to remain idle before TCP starts sending keepalive probes; probes is the maximum number of keepalive probes TCP should send before
              dropping the connection; interval is interval in seconds between individual keepalive probes.  Only some systems support the customization of  these
              values; the keepalive parameter is ignored otherwise, and system-wide settings are used.

       network-timeout <time>
              Sets the network timeout value after which poll(2)/select(2) following a connect(2) returns in case of no activity.  The value is in seconds, and it
              can be specified as for idle-timeout.  If set before any target  specification,  it  affects  all  targets,  unless  overridden  by  any  per-target

You can maybe give a try to "network-timeout" first.

Clément Oudot | Identity Solutions Manager


Worteks | https://www.worteks.com