Hello,

 

We are running OpenLDAP 2.4.23. Part of our implementation proxies to an Active Directory server. Whenever connectivity to the AD server is interrupted, queries to the non-proxied portion of our implementation take a very long time and cause many issues with querying services.

 

I have been looking at timeout options for both slapd.conf and ldap.conf and I have found the following:

 

ldap.conf:

 

       NETWORK_TIMEOUT <integer>

              Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity.

 

       TIMEOUT <integer>

              Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received.  Also used  for

              any ldap_result(3) calls where a NULL timeout parameter is supplied.

 

slapd.conf:

 

       idletimeout <integer>

              Specify the number of seconds to wait before forcibly closing an idle client connection.  A idletimeout of 0 disables this feature.   The

              default is 0. You may also want to set the writetimeout option.

 

       writetimeout <integer>

              Specify  the  number of seconds to wait before forcibly closing a connection with an outstanding write. This allows recovery from various

              network hang conditions.  A writetimeout of 0 disables this feature.  The default is 0.

 

I am wondering which timeout values would be best to set in order to speed up queries when proxy connectivity is interrupted.  Perhaps there is something else wrong with our config that is causing this issue.

 

Our ldap.conf file is basically empty (so, using all default)

 

Our slapd.conf looks something like this (heavily edited to remove specific info):

 

##########BEGIN SLAPD.CONF##########

 

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/samba3.schema

include         /etc/openldap/schema/lockfile.schema

include         /etc/openldap/schema/yast.schema

include         /etc/openldap/schema/ldap2dns.schema

include         /etc/openldap/schema/radius.schema

include         /etc/openldap/schema/mail.schema

 

loglevel 256

 

allow bind_v2

 

sasl-host [REMOVED]

sasl-realm [REMOVED]

 

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

 

modulepath      /usr/lib64/openldap

moduleload      rwm

 

tool-threads 2

 

#TLSCipherSuite HIGH:MEDIUM:+SSLv2

#TLSCACertificatePath /etc/ssl/certs/

#TLSCertificateFile [REMOVED]

#TLSCertificateKeyFile [REMOVED]

#TLSVerifyClient demand

 

access to attrs=[REMOVED]

        by anonymous [REMOVED]

        by * [REMOVED]

 

access to attrs=[REMOVED]

        by * [REMOVED]

 

access to [REMOVED]

        by * [REMOVED]

 

access to [REMOVED]

        by * [REMOVED]

 

 

database [REMOVED]

suffix "[REMOVED]"

checkpoint      20480 5

cachesize       100000

directory       [REMOVED]

 

dbconfig set_cachesize 0 268435456 1

dbconfig set_lg_max 268435456

dbconfig set_lg_bsize 16777216

dbconfig set_lk_max_objects 5000

dbconfig set_lk_max_locks 5000

dbconfig set_lk_max_lockers 50000

dbconfig set_flags DB_LOG_AUTOREMOVE

 

index [REMOVED]

index [REMOVED]

index [REMOVED]

 

 

 

rootdn          [REMOVED]

rootpw          [REMOVED]

syncrepl rid=[REMOVED]

        provider=[REMOVED]

        type=refreshAndPersist

        retry="300 +"

        searchbase="[REMOVED]"

        filter="(objectClass=*)"

        sizelimit="unlimited"

        timelimit="unlimited"

        scope=sub

        schemachecking=off

        bindmethod=simple

        binddn="[REMOVED]"

        credentials=[REMOVED]

 

 

database [REMOVED]

suffix "[REMOVED]"

checkpoint      20480 5

cachesize       100000

directory       [REMOVED]

 

dbconfig set_cachesize 0 268435456 1

dbconfig set_lg_max 268435456

dbconfig set_lg_bsize 16777216

dbconfig set_lk_max_objects 5000

dbconfig set_lk_max_locks 5000

dbconfig set_lk_max_lockers 50000

dbconfig set_flags DB_LOG_AUTOREMOVE

 

index [REMOVED]

index [REMOVED]

index [REMOVED]

 

 

 

rootdn          "[REMOVED]"

rootpw          [REMOVED]

syncrepl [REMOVED]

        provider=[REMOVED]

        type=refreshAndPersist

        retry="300 +"

        searchbase="[REMOVED]"

        filter="(objectClass=*)"

        sizelimit="unlimited"

        timelimit="unlimited"

        scope=sub

        schemachecking=off

        bindmethod=simple

        binddn="[REMOVED]"

        credentials=[REMOVED]

 

 

database ldap

 

suffix "[REMOVED]"

uri     "ldap:// [REMOVED]"

uri     "ldap:// [REMOVED]"

 

rebind-as-user

lastmod   off

chase-referrals yes

 

acl-bind

        bindmethod=simple

        binddn="[REMOVED]"

        credentials="[REMOVED]"

idassert-bind

        bindmethod=simple

        binddn="[REMOVED]"

        credentials="[REMOVED]"

        mode=none

        flags=prescriptive

idassert-authzFrom   "dn.regex:.*"

 

overlay rwm

rwm-map     attribute       [REMOVED]

rwm-map     attribute       [REMOVED]

rwm-map     attribute       [REMOVED]

rwm-map     attribute       [REMOVED]

rwm-map     attribute       [REMOVED]

rwm-map     attribute       [REMOVED]

rwm-map     objectclass     [REMOVED]

rwm-map     objectclass     [REMOVED]

 

 

 

database [REMOVED]

 

##########END SLAPD.CONF##########

 

Thank You