Using the meta backend, I have specified a list of LDAP URIs.
I am testing what happens if the first URI becomes unresponsive ( e.g. The host was shutdown, etc. ).
So I deliberately put in a bogus URI as the first URI that I know will not respond ( TCP SYN would be sent out by OpenLDAP, but no TCP ACK coming back ):
##################### backend meta database meta access to * by * read suffix "dc=ldapproxy,dc=local" uri ldap://10.10.10.10/dc=aas,dc=priv,dc=ldapproxy,dc=local ldap://aassydc02.aas.priv/ suffixmassage "dc=aas,dc=priv,dc=ldapproxy,dc=local" "dc=aas,dc=priv" chase-referrals no lastmod off protocol-version 3 timeout 10 #####################
With the above timeout setting, I was hoping that after 10 seconds, OpenLDAP will try the next URI it the first URI did not respond ... but it did not as per tshark capture below.
What setting do I need to accomplish what I need ?
0.000000 127.0.0.1 -> 127.0.0.1 TCP 76 50649 > ldap [SYN] Seq=0 Win=32792 Len=0 MSS=16396 SACK_PERM=1 TSval=133287492 TSecr=0 WS=128 0.000021 127.0.0.1 -> 127.0.0.1 TCP 76 ldap > 50649 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 SACK_PERM=1 TSval=133287492 TSecr=133287492 WS=128 0.000035 127.0.0.1 -> 127.0.0.1 TCP 68 50649 > ldap [ACK] Seq=1 Ack=1 Win=32896 Len=0 TSval=133287492 TSecr=133287492 0.000090 127.0.0.1 -> 127.0.0.1 LDAP 118 bindRequest(1) "cn=admin,dc=ldapproxy,dc=local" simple 0.000102 127.0.0.1 -> 127.0.0.1 TCP 68 ldap > 50649 [ACK] Seq=1 Ack=51 Win=32768 Len=0 TSval=133287492 TSecr=133287492 0.000829 127.0.0.1 -> 127.0.0.1 LDAP 82 bindResponse(1) success 0.000856 127.0.0.1 -> 127.0.0.1 TCP 68 50649 > ldap [ACK] Seq=51 Ack=15 Win=32896 Len=0 TSval=133287493 TSecr=133287493 0.000909 127.0.0.1 -> 127.0.0.1 LDAP 158 searchRequest(2) "DC=ldapproxy,DC=local" wholeSubtree 0.001196 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133287493 TSecr=0 WS=128 0.040403 127.0.0.1 -> 127.0.0.1 TCP 68 ldap > 50649 [ACK] Seq=15 Ack=141 Win=32768 Len=0 TSval=133287503 TSecr=133287493 1.001055 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133287743 TSecr=0 WS=128 3.006852 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133288244 TSecr=0 WS=128 7.013361 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133289246 TSecr=0 WS=128 15.020550 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133291248 TSecr=0 WS=128 31.052492 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133295256 TSecr=0 WS=128 60.063874 172.21.17.193 -> 10.10.10.10 TCP 76 58295 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133302508 TSecr=0 WS=128 61.060500 172.21.17.193 -> 10.10.10.10 TCP 76 58295 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133302758 TSecr=0 WS=128 63.065447 172.21.17.193 -> 10.10.10.10 TCP 76 58295 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133303259 TSecr=0 WS=128
On Wed, 23 Oct 2013, Jesus Jr M Salvo wrote:
Using the meta backend, I have specified a list of LDAP URIs.
I am testing what happens if the first URI becomes unresponsive ( e.g. The host was shutdown, etc. ).
So I deliberately put in a bogus URI as the first URI that I know will not respond ( TCP SYN would be sent out by OpenLDAP, but no TCP ACK coming back ):
...
timeout 10
...
With the above timeout setting, I was hoping that after 10 seconds, OpenLDAP will try the next URI it the first URI did not respond ... but it did not as per tshark capture below.
What setting do I need to accomplish what I need ?
man slapd-meta(5) network-timeout <time> Sets the network timeout value after which poll(2)/select(2) following a connect(2) returns in case of no activity. The value is in seconds, and it can be specified as for idle-timeout. If set before any target specification, it affects all targets, unless overridden by any per-target directive.
On 23 October 2013 15:34, Philip Guenther guenther+ldaptech@sendmail.com wrote:
On Wed, 23 Oct 2013, Jesus Jr M Salvo wrote:
Using the meta backend, I have specified a list of LDAP URIs.
I am testing what happens if the first URI becomes unresponsive ( e.g. The host was shutdown, etc. ).
So I deliberately put in a bogus URI as the first URI that I know will not respond ( TCP SYN would be sent out by OpenLDAP, but no TCP ACK coming back ):
...
timeout 10
...
With the above timeout setting, I was hoping that after 10 seconds, OpenLDAP will try the next URI it the first URI did not respond ... but it did not as per tshark capture below.
What setting do I need to accomplish what I need ?
man slapd-meta(5) network-timeout <time> Sets the network timeout value after which poll(2)/select(2) following a connect(2) returns in case of no activity. The value is in seconds, and it can be specified as for idle-timeout. If set before any target specification, it affects all targets, unless overridden by any per-target directive.
I've tried that as well ... same thing. I was hoping that OpenLDAP will detect that no TCP SYN/ACK was received, so that it tries the next URI in the list. It does not even try the next URI in the list.
On 23 October 2013 19:10, Jesus Jr M Salvo jesus.m.salvo@gmail.com wrote:
On 23 October 2013 15:34, Philip Guenther guenther+ldaptech@sendmail.com wrote:
On Wed, 23 Oct 2013, Jesus Jr M Salvo wrote:
Using the meta backend, I have specified a list of LDAP URIs.
I am testing what happens if the first URI becomes unresponsive ( e.g. The host was shutdown, etc. ).
So I deliberately put in a bogus URI as the first URI that I know will not respond ( TCP SYN would be sent out by OpenLDAP, but no TCP ACK coming back ):
...
timeout 10
...
With the above timeout setting, I was hoping that after 10 seconds, OpenLDAP will try the next URI it the first URI did not respond ... but it did not as per tshark capture below.
What setting do I need to accomplish what I need ?
man slapd-meta(5) network-timeout <time> Sets the network timeout value after which poll(2)/select(2) following a connect(2) returns in case of no activity. The value is in seconds, and it can be specified as for idle-timeout. If set before any target specification, it affects all targets, unless overridden by any per-target directive.
I've tried that as well ... same thing. I was hoping that OpenLDAP will detect that no TCP SYN/ACK was received, so that it tries the next URI in the list. It does not even try the next URI in the list.
I've removed all the timeout settings, and OpenLDAP does try the next entry in the URI list when the first one does not respond. The default seems to be 60 seconds before trying the next entry.
However, I could not seem to modify this to a shorter period which is what I was hoping to achieve.
Jesus Jr M Salvo jesus.m.salvo@gmail.com schrieb am 24.10.2013 um 10:59 in
Nachricht CALKjTzwLB6Eajd776sK1mqkAM=qOjrE5kW82bzqV-VVkMn5BZw@mail.gmail.com:
On 23 October 2013 19:10, Jesus Jr M Salvo jesus.m.salvo@gmail.com wrote:
On 23 October 2013 15:34, Philip Guenther guenther+ldaptech@sendmail.com wrote:
On Wed, 23 Oct 2013, Jesus Jr M Salvo wrote:
Using the meta backend, I have specified a list of LDAP URIs.
I am testing what happens if the first URI becomes unresponsive ( e.g. The host was shutdown, etc. ).
So I deliberately put in a bogus URI as the first URI that I know will not respond ( TCP SYN would be sent out by OpenLDAP, but no TCP ACK coming back ):
...
timeout 10
...
With the above timeout setting, I was hoping that after 10 seconds, OpenLDAP will try the next URI it the first URI did not respond ... but it did not as per tshark capture below.
What setting do I need to accomplish what I need ?
man slapd-meta(5) network-timeout <time> Sets the network timeout value after which poll(2)/select(2) following a connect(2) returns in case of no activity. The value is in seconds, and it can be specified as for idle-timeout. If set before any target specification, it
affects
all targets, unless overridden by any per-target directive.I've tried that as well ... same thing. I was hoping that OpenLDAP will detect that no TCP SYN/ACK was received, so that it tries the next URI in the list. It does not even try the next URI in the list.
I've removed all the timeout settings, and OpenLDAP does try the next entry in the URI list when the first one does not respond. The default seems to be 60 seconds before trying the next entry.
However, I could not seem to modify this to a shorter period which is what I was hoping to achieve.
I guess it's difficult for a TCP based protocol. If you are strictly on Intranet, you could try to fiddle with TCP timeouts to get a "connection timed out" earlier. However I guess if the destination port is just down, the error should be immediate already...
Regards, Ulrich
openldap-technical@openldap.org
-
Jesus Jr M Salvo -
Philip Guenther -
Ulrich Windl