9:08 p.m.
Using the meta backend, I have specified a list of LDAP URIs.
I am testing what happens if the first URI becomes unresponsive ( e.g.
The host was shutdown, etc. ).
So I deliberately put in a bogus URI as the first URI that I know will
not respond ( TCP SYN would be sent out by OpenLDAP, but no TCP ACK
coming back ):
#####################
backend meta
database meta
access to *
by * read
suffix "dc=ldapproxy,dc=local"
uri ldap://10.10.10.10/dc=aas,dc=priv,dc=ldapproxy,dc=local
ldap://aassydc02.aas.priv/
suffixmassage "dc=aas,dc=priv,dc=ldapproxy,dc=local"
"dc=aas,dc=priv"
chase-referrals no
lastmod off
protocol-version 3
timeout 10
#####################
With the above timeout setting, I was hoping that after 10 seconds,
OpenLDAP will try the next URI it the first URI did not respond ...
but it did not as per tshark capture below.
What setting do I need to accomplish what I need ?
0.000000 127.0.0.1 -> 127.0.0.1 TCP 76 50649 > ldap [SYN]
Seq=0 Win=32792 Len=0 MSS=16396 SACK_PERM=1 TSval=133287492 TSecr=0
WS=128
0.000021 127.0.0.1 -> 127.0.0.1 TCP 76 ldap > 50649 [SYN, ACK]
Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 SACK_PERM=1 TSval=133287492
TSecr=133287492 WS=128
0.000035 127.0.0.1 -> 127.0.0.1 TCP 68 50649 > ldap [ACK]
Seq=1 Ack=1 Win=32896 Len=0 TSval=133287492 TSecr=133287492
0.000090 127.0.0.1 -> 127.0.0.1 LDAP 118 bindRequest(1)
"cn=admin,dc=ldapproxy,dc=local" simple
0.000102 127.0.0.1 -> 127.0.0.1 TCP 68 ldap > 50649 [ACK]
Seq=1 Ack=51 Win=32768 Len=0 TSval=133287492 TSecr=133287492
0.000829 127.0.0.1 -> 127.0.0.1 LDAP 82 bindResponse(1) success
0.000856 127.0.0.1 -> 127.0.0.1 TCP 68 50649 > ldap [ACK]
Seq=51 Ack=15 Win=32896 Len=0 TSval=133287493 TSecr=133287493
0.000909 127.0.0.1 -> 127.0.0.1 LDAP 158 searchRequest(2)
"DC=ldapproxy,DC=local" wholeSubtree
0.001196 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133287493 TSecr=0
WS=128
0.040403 127.0.0.1 -> 127.0.0.1 TCP 68 ldap > 50649 [ACK]
Seq=15 Ack=141 Win=32768 Len=0 TSval=133287503 TSecr=133287493
1.001055 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133287743 TSecr=0
WS=128
3.006852 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133288244 TSecr=0
WS=128
7.013361 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133289246 TSecr=0
WS=128
15.020550 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133291248 TSecr=0
WS=128
31.052492 172.21.17.193 -> 10.10.10.10 TCP 76 58293 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133295256 TSecr=0
WS=128
60.063874 172.21.17.193 -> 10.10.10.10 TCP 76 58295 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133302508 TSecr=0
WS=128
61.060500 172.21.17.193 -> 10.10.10.10 TCP 76 58295 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133302758 TSecr=0
WS=128
63.065447 172.21.17.193 -> 10.10.10.10 TCP 76 58295 > ldap [SYN]
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=133303259 TSecr=0
WS=128
9:34 p.m.
On Wed, 23 Oct 2013, Jesus Jr M Salvo wrote:
Using the meta backend, I have specified a list of LDAP URIs.
I am testing what happens if the first URI becomes unresponsive ( e.g.
The host was shutdown, etc. ).
So I deliberately put in a bogus URI as the first URI that I know will
not respond ( TCP SYN would be sent out by OpenLDAP, but no TCP ACK
coming back ):
...
timeout 10
...
With the above timeout setting, I was hoping that after 10 seconds,
OpenLDAP will try the next URI it the first URI did not respond ...
but it did not as per tshark capture below.
What setting do I need to accomplish what I need ?
man slapd-meta(5)
network-timeout <time>
Sets the network timeout value after which poll(2)/select(2)
following a connect(2) returns in case of no activity. The
value is in seconds, and it can be specified as for
idle-timeout. If set before any target specification, it affects
all targets, unless overridden by any per-target directive.
1:10 a.m.
On 23 October 2013 15:34, Philip Guenther
<guenther+ldaptech(a)sendmail.com> wrote:
On Wed, 23 Oct 2013, Jesus Jr M Salvo wrote:
> Using the meta backend, I have specified a list of LDAP URIs.
>
> I am testing what happens if the first URI becomes unresponsive ( e.g.
> The host was shutdown, etc. ).
>
> So I deliberately put in a bogus URI as the first URI that I know will
> not respond ( TCP SYN would be sent out by OpenLDAP, but no TCP ACK
> coming back ):
...
> timeout 10
...
> With the above timeout setting, I was hoping that after 10 seconds,
> OpenLDAP will try the next URI it the first URI did not respond ...
> but it did not as per tshark capture below.
>
> What setting do I need to accomplish what I need ?
man slapd-meta(5)
network-timeout <time>
Sets the network timeout value after which poll(2)/select(2)
following a connect(2) returns in case of no activity. The
value is in seconds, and it can be specified as for
idle-timeout. If set before any target specification, it affects
all targets, unless overridden by any per-target directive.
I've tried that as well ... same thing. I was hoping that OpenLDAP
will detect that no TCP SYN/ACK was received, so that it tries the
next URI in the list. It does not even try the next URI in the list.
1:59 a.m.
On 23 October 2013 19:10, Jesus Jr M Salvo <jesus.m.salvo(a)gmail.com> wrote:
On 23 October 2013 15:34, Philip Guenther
<guenther+ldaptech(a)sendmail.com> wrote:
> On Wed, 23 Oct 2013, Jesus Jr M Salvo wrote:
>> Using the meta backend, I have specified a list of LDAP URIs.
>>
>> I am testing what happens if the first URI becomes unresponsive ( e.g.
>> The host was shutdown, etc. ).
>>
>> So I deliberately put in a bogus URI as the first URI that I know will
>> not respond ( TCP SYN would be sent out by OpenLDAP, but no TCP ACK
>> coming back ):
> ...
>> timeout 10
> ...
>> With the above timeout setting, I was hoping that after 10 seconds,
>> OpenLDAP will try the next URI it the first URI did not respond ...
>> but it did not as per tshark capture below.
>>
>> What setting do I need to accomplish what I need ?
>
> man slapd-meta(5)
> network-timeout <time>
> Sets the network timeout value after which poll(2)/select(2)
> following a connect(2) returns in case of no activity. The
> value is in seconds, and it can be specified as for
> idle-timeout. If set before any target specification, it affects
> all targets, unless overridden by any per-target directive.
>
I've tried that as well ... same thing. I was hoping that OpenLDAP
will detect that no TCP SYN/ACK was received, so that it tries the
next URI in the list. It does not even try the next URI in the list.
I've removed all the timeout settings, and OpenLDAP does try the next
entry in the URI list when the first one does not respond. The default
seems to be 60 seconds before trying the next entry.
However, I could not seem to modify this to a shorter period which is
what I was hoping to achieve.
11:12 p.m.
New subject: Antw: Re: slapd-ldap and Multiple URIs: Dealing with hosts that are down
>> Jesus Jr M Salvo <jesus.m.salvo(a)gmail.com> schrieb am
24.10.2013 um 10:59 in
Nachricht
<CALKjTzwLB6Eajd776sK1mqkAM=qOjrE5kW82bzqV-VVkMn5BZw(a)mail.gmail.com>:
On 23 October 2013 19:10, Jesus Jr M Salvo
<jesus.m.salvo(a)gmail.com> wrote:
> On 23 October 2013 15:34, Philip Guenther
> <guenther+ldaptech(a)sendmail.com> wrote:
>> On Wed, 23 Oct 2013, Jesus Jr M Salvo wrote:
>>> Using the meta backend, I have specified a list of LDAP URIs.
>>>
>>> I am testing what happens if the first URI becomes unresponsive ( e.g.
>>> The host was shutdown, etc. ).
>>>
>>> So I deliberately put in a bogus URI as the first URI that I know will
>>> not respond ( TCP SYN would be sent out by OpenLDAP, but no TCP ACK
>>> coming back ):
>> ...
>>> timeout 10
>> ...
>>> With the above timeout setting, I was hoping that after 10 seconds,
>>> OpenLDAP will try the next URI it the first URI did not respond ...
>>> but it did not as per tshark capture below.
>>>
>>> What setting do I need to accomplish what I need ?
>>
>> man slapd-meta(5)
>> network-timeout <time>
>> Sets the network timeout value after which poll(2)/select(2)
>> following a connect(2) returns in case of no activity. The
>> value is in seconds, and it can be specified as for
>> idle-timeout. If set before any target specification, it
affects
>> all targets, unless overridden by any per-target directive.
>>
>
> I've tried that as well ... same thing. I was hoping that OpenLDAP
> will detect that no TCP SYN/ACK was received, so that it tries the
> next URI in the list. It does not even try the next URI in the list.
I've removed all the timeout settings, and OpenLDAP does try the next
entry in the URI list when the first one does not respond. The default
seems to be 60 seconds before trying the next entry.
However, I could not seem to modify this to a shorter period which is
what I was hoping to achieve.
I guess it's difficult for a TCP based protocol. If you are strictly on Intranet, you
could try to fiddle with TCP timeouts to get a "connection timed out" earlier.
However I guess if the destination port is just down, the error should be immediate
already...
Regards,
Ulrich
3515
days inactive
3517
days old
openldap-technical@openldap.org
4 comments
3 participants
participants (3)
-
Jesus Jr M Salvo -
Philip Guenther -
Ulrich Windl