On 14/08/2012 21:57, masarati@aero.polimi.it wrote:
bind-timeout and network-timeout have specific, connection-level meaning. Just "timeout <seconds>" (you can make it search-specific if you don't want it to affect other operations, using "timeout search=<seconds>".
Setting timeout doesn't solve the problem, but it changes the behaviour. Now the ldapsearch times out after the value specified and reports:
result: 11 Administrative limit exceeded text: Operation timed out
...but the LDAP server still doesn't attempt to contact the failover hosts. I've also verified this with tcpdump.
To recap, here's my current config. I can't help but think I'm doing something obviously wrong here if it's working for others.
database meta suffix dc=local rootdn cn=administrator,dc=local rootpw secret
network-timeout 1 timeout 1
uri ldap://host1:3268/ou=dc1,dc=local ldap://host2:3268/ ldap://host3:3268/
suffixmassage "ou=dc1,dc=local" "dc=example,dc=com"
idassert-bind bindmethod=simple binddn="cn=proxyuser,dc=example,dc=com" credentials="password"
idassert-authzfrom "dn.exact:cn=administrator,dc=local"