LDAP Proxy Timeout Values

3 Jun 2014


      Hello,
We are running OpenLDAP 2.4.23. Part of our implementation proxies to an Active Directory server. Whenever connectivity to the AD server is interrupted, queries to the non-proxied portion of our implementation take a very long time and cause many issues with querying services.
I have been looking at timeout options for both slapd.conf and ldap.conf and I have found the following:
ldap.conf:
NETWORK_TIMEOUT <integer>
              Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity.
TIMEOUT <integer>
              Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received.  Also used  for
              any ldap_result(3) calls where a NULL timeout parameter is supplied.
slapd.conf:
idletimeout <integer>
              Specify the number of seconds to wait before forcibly closing an idle client connection.  A idletimeout of 0 disables this feature.   The
              default is 0. You may also want to set the writetimeout option.
writetimeout <integer>
              Specify  the  number of seconds to wait before forcibly closing a connection with an outstanding write. This allows recovery from various
              network hang conditions.  A writetimeout of 0 disables this feature.  The default is 0.
I am wondering which timeout values would be best to set in order to speed up queries when proxy connectivity is interrupted.  Perhaps there is something else wrong with our config that is causing this issue.
Our ldap.conf file is basically empty (so, using all default)
Our slapd.conf looks something like this (heavily edited to remove specific info):
##########BEGIN SLAPD.CONF##########
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/samba3.schema
include         /etc/openldap/schema/lockfile.schema
include         /etc/openldap/schema/yast.schema
include         /etc/openldap/schema/ldap2dns.schema
include         /etc/openldap/schema/radius.schema
include         /etc/openldap/schema/mail.schema
loglevel 256
allow bind_v2
sasl-host [REMOVED]
sasl-realm [REMOVED]
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
modulepath      /usr/lib64/openldap
moduleload      rwm
tool-threads 2
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCACertificatePath /etc/ssl/certs/
#TLSCertificateFile [REMOVED]
#TLSCertificateKeyFile [REMOVED]
#TLSVerifyClient demand
access to attrs=[REMOVED]
        by anonymous [REMOVED]
        by * [REMOVED]
access to attrs=[REMOVED]
        by * [REMOVED]
access to [REMOVED]
        by * [REMOVED]
access to [REMOVED]
        by * [REMOVED]
database [REMOVED]
suffix "[REMOVED]"
checkpoint      20480 5
cachesize       100000
directory       [REMOVED]
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_max 268435456
dbconfig set_lg_bsize 16777216
dbconfig set_lk_max_objects 5000
dbconfig set_lk_max_locks 5000
dbconfig set_lk_max_lockers 50000
dbconfig set_flags DB_LOG_AUTOREMOVE
index [REMOVED]
index [REMOVED]
index [REMOVED]
rootdn          [REMOVED]
rootpw          [REMOVED]
syncrepl rid=[REMOVED]
        provider=[REMOVED]
        type=refreshAndPersist
        retry="300 +"
        searchbase="[REMOVED]"
        filter="(objectClass=*)"
        sizelimit="unlimited"
        timelimit="unlimited"
        scope=sub
        schemachecking=off
        bindmethod=simple
        binddn="[REMOVED]"
        credentials=[REMOVED]
database [REMOVED]
suffix "[REMOVED]"
checkpoint      20480 5
cachesize       100000
directory       [REMOVED]
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_max 268435456
dbconfig set_lg_bsize 16777216
dbconfig set_lk_max_objects 5000
dbconfig set_lk_max_locks 5000
dbconfig set_lk_max_lockers 50000
dbconfig set_flags DB_LOG_AUTOREMOVE
index [REMOVED]
index [REMOVED]
index [REMOVED]
rootdn          "[REMOVED]"
rootpw          [REMOVED]
syncrepl [REMOVED]
        provider=[REMOVED]
        type=refreshAndPersist
        retry="300 +"
        searchbase="[REMOVED]"
        filter="(objectClass=*)"
        sizelimit="unlimited"
        timelimit="unlimited"
        scope=sub
        schemachecking=off
        bindmethod=simple
        binddn="[REMOVED]"
        credentials=[REMOVED]
database ldap
suffix "[REMOVED]"
uri     "ldap:// [REMOVED]"
uri     "ldap:// [REMOVED]"
rebind-as-user
lastmod   off
chase-referrals yes
acl-bind
        bindmethod=simple
        binddn="[REMOVED]"
        credentials="[REMOVED]"
idassert-bind
        bindmethod=simple
        binddn="[REMOVED]"
        credentials="[REMOVED]"
        mode=none
        flags=prescriptive
idassert-authzFrom   "dn.regex:.*"
overlay rwm
rwm-map     attribute       [REMOVED]
rwm-map     attribute       [REMOVED]
rwm-map     attribute       [REMOVED]
rwm-map     attribute       [REMOVED]
rwm-map     attribute       [REMOVED]
rwm-map     attribute       [REMOVED]
rwm-map     objectclass     [REMOVED]
rwm-map     objectclass     [REMOVED]
database [REMOVED]
##########END SLAPD.CONF##########
Thank You

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

LDAP Proxy Timeout Values