Hello all,
I'm having an issue with the configuration of an OpenLDAP working as a proxy to various Active Directory backends. The OpenLDAP proxy is in our network and we have various VPN to connect it to the remote Windows Domain Controllers (5 remote Domain Controlers of different customers, each one managing it's own domain).
To configure the proxy, we use de META database.
When all the Domain Controllers are up, everything works fine, but when one of then goes down (network problems, a machine reboot, etc.), the web app that uses the OpenLDAP proxy stops autheticating all users of all domains. The system process it's even hanged and when you try to stop or restart the service, it takes a long time to respond. I can't find a way to force a short timeout to ignore the offline DC and let the users of the other domains to continue working.
The server OS is CentOS Linux release 7.4.1708 (Core), and the OpenLDAP version 2.4.44.
To check if this is an issue of this old version, I have deployed another server with Fedora 30 and OpenLDAP 2.4.47, but same behaviour, so it's probably a configuration problem.
Below are the slapd.conf file I'm using (with no private data). Any ideas about what to change in the configuration file?
Thanks in advance and best regards, David.
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. #
Include /etc/openldap/schema/core.schema Include /etc/openldap/schema/corba.schema Include /etc/openldap/schema/cosine.schema Include /etc/openldap/schema/duaconf.schema Include /etc/openldap/schema/dyngroup.schema Include /etc/openldap/schema/inetorgperson.schema Include /etc/openldap/schema/java.schema Include /etc/openldap/schema/misc.schema Include /etc/openldap/schema/nis.schema Include /etc/openldap/schema/openldap.schema Include /etc/openldap/schema/collective.schema Include /etc/openldap/schema/pmi.schema Include /etc/openldap/schema/ppolicy.schema
allow bind_v2
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: modulepath /usr/lib64/openldap moduleload rwm.la moduleload back_meta.la moduleload back_ldap.la moduleload back_null.la moduleload back_bdb.la moduleload back_hdb.la moduleload back_ldif.la moduleload back_shell.la moduleload back_perl.la
loglevel 4095 ####################################################################### # MDB database definitions ####################################################################### ###Ad Principal database meta suffix "dc=ldapproxy-pre,dc=local" rootdn "cn=manager,dc=ldapproxy-pre,dc=local" rootpw ?????????????? chase-referrals no nretries 0
################################### # # Entrada LDAP para ONE # ################################### uri "ldap://1.2.3.1/ou=ONE,ou=Usuarios,dc=ldapproxy-pre,dc=local" readonly yes lastmod off suffixmassage "ou=ONE,ou=Usuarios,dc=ldapproxy-pre,dc=local" "dc=ONE,dc=local" idassert-bind bindmethod=simple binddn="CN=USERONE,OU=Usuarios,DC=ONE,DC=local" credentials="??????????????" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=manager,dc=ldapproxy-pre,dc=local" overlay rwm rwm-map attribute uid mail
################################### # # Entrada LDAP para TWO # ###################################
uri "ldap://1.2.3.2/ou=TWO,ou=Usuarios,dc=ldapproxy-pre,dc=local" readonly yes lastmod off suffixmassage "ou=TWO,ou=Usuarios,dc=ldapproxy-pre,dc=local" "ou=TWO,ou=people,ou=users,dc=TWO,dc=local" idassert-bind bindmethod=simple binddn="CN=USERTWO,CN=Users,DC=TWO,DC=local" credentials="????????????" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=manager,dc=ldapproxy-pre,dc=local" overlay rwm
################################### # # Entrada LDAP para THREE # ###################################
uri "ldap://1.2.3.3/ou=THREE,ou=Usuarios,dc=ldapproxy-pre,dc=local" readonly yes lastmod off suffixmassage "ou=THREE,ou=Usuarios,dc=ldapproxy-pre,dc=local" "dc=THREE,dc=red" idassert-bind bindmethod=simple binddn="CN=USERTHREE,CN=Users,DC=THREE,DC=red" credentials="??????????????????????" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=manager,dc=ldapproxy-pre,dc=local" overlay rwm
########################################## # # Entrada LDAP para FOUR # ######################################### uri "ldap://1.2.3.4/ou=FOUR,ou=Usuarios,dc=ldapproxy-pre,dc=local" readonly yes lastmod off suffixmassage "ou=FOUR,ou=Usuarios,dc=ldapproxy-pre,dc=local" "dc=FOUR,dc=loc" idassert-bind bindmethod=simple binddn="CN=USERFOUR,CN=Users,DC=FOUR,DC=loc" credentials="??????????????????????" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=manager,dc=ldapproxy-pre,dc=local" overlay rwm
################################### # # Entrada LDAP para FIVE # ################################### uri "ldap://1.2.3.5/ou=FIVE,ou=Usuarios,dc=ldapproxy-pre,dc=local" readonly yes lastmod off suffixmassage "ou=FIVE,ou=Usuarios,dc=ldapproxy-pre,dc=local" "dc=FIVE,dc=local" idassert-bind bindmethod=simple binddn="CN=USERFIVE,CN=Users,DC=FIVE,DC=local" credentials="???????????????????" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=manager,dc=ldapproxy-pre,dc=local" overlay rwm