Hello all,
I'm having an issue with the configuration of an OpenLDAP working as a proxy to various Active Directory backends. The OpenLDAP proxy is in our network and we have various VPN to connect it to the remote Windows Domain Controllers (5 remote Domain Controlers of different customers, each one managing it's own domain).
To configure the proxy, we use de META database.
When all the Domain Controllers are up, everything works fine, but when one of then goes down (network problems, a machine reboot, etc.), the web app that uses the OpenLDAP proxy stops autheticating all users of all domains. The system process it's even hanged and when you try to stop or restart the service, it takes a long time to respond. I can't find a way to force a short timeout to ignore the offline DC and let the users of the other domains to continue working.
The server OS is CentOS Linux release 7.4.1708 (Core), and the OpenLDAP version 2.4.44.
To check if this is an issue of this old version, I have deployed another server with Fedora 30 and OpenLDAP 2.4.47, but same behaviour, so it's probably a configuration problem.
Below are the slapd.conf file I'm using (with no private data). Any ideas about what to change in the configuration file?
Thanks in advance and best regards, David.
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. #
Include /etc/openldap/schema/core.schema Include /etc/openldap/schema/corba.schema Include /etc/openldap/schema/cosine.schema Include /etc/openldap/schema/duaconf.schema Include /etc/openldap/schema/dyngroup.schema Include /etc/openldap/schema/inetorgperson.schema Include /etc/openldap/schema/java.schema Include /etc/openldap/schema/misc.schema Include /etc/openldap/schema/nis.schema Include /etc/openldap/schema/openldap.schema Include /etc/openldap/schema/collective.schema Include /etc/openldap/schema/pmi.schema Include /etc/openldap/schema/ppolicy.schema
allow bind_v2
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: modulepath /usr/lib64/openldap moduleload rwm.la moduleload back_meta.la moduleload back_ldap.la moduleload back_null.la moduleload back_bdb.la moduleload back_hdb.la moduleload back_ldif.la moduleload back_shell.la moduleload back_perl.la
loglevel 4095 ####################################################################### # MDB database definitions ####################################################################### ###Ad Principal database meta suffix "dc=ldapproxy-pre,dc=local" rootdn "cn=manager,dc=ldapproxy-pre,dc=local" rootpw ?????????????? chase-referrals no nretries 0
################################### # # Entrada LDAP para ONE # ################################### uri "ldap://1.2.3.1/ou=ONE,ou=Usuarios,dc=ldapproxy-pre,dc=local" readonly yes lastmod off suffixmassage "ou=ONE,ou=Usuarios,dc=ldapproxy-pre,dc=local" "dc=ONE,dc=local" idassert-bind bindmethod=simple binddn="CN=USERONE,OU=Usuarios,DC=ONE,DC=local" credentials="??????????????" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=manager,dc=ldapproxy-pre,dc=local" overlay rwm rwm-map attribute uid mail
################################### # # Entrada LDAP para TWO # ###################################
uri "ldap://1.2.3.2/ou=TWO,ou=Usuarios,dc=ldapproxy-pre,dc=local" readonly yes lastmod off suffixmassage "ou=TWO,ou=Usuarios,dc=ldapproxy-pre,dc=local" "ou=TWO,ou=people,ou=users,dc=TWO,dc=local" idassert-bind bindmethod=simple binddn="CN=USERTWO,CN=Users,DC=TWO,DC=local" credentials="????????????" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=manager,dc=ldapproxy-pre,dc=local" overlay rwm
################################### # # Entrada LDAP para THREE # ###################################
uri "ldap://1.2.3.3/ou=THREE,ou=Usuarios,dc=ldapproxy-pre,dc=local" readonly yes lastmod off suffixmassage "ou=THREE,ou=Usuarios,dc=ldapproxy-pre,dc=local" "dc=THREE,dc=red" idassert-bind bindmethod=simple binddn="CN=USERTHREE,CN=Users,DC=THREE,DC=red" credentials="??????????????????????" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=manager,dc=ldapproxy-pre,dc=local" overlay rwm
########################################## # # Entrada LDAP para FOUR # ######################################### uri "ldap://1.2.3.4/ou=FOUR,ou=Usuarios,dc=ldapproxy-pre,dc=local" readonly yes lastmod off suffixmassage "ou=FOUR,ou=Usuarios,dc=ldapproxy-pre,dc=local" "dc=FOUR,dc=loc" idassert-bind bindmethod=simple binddn="CN=USERFOUR,CN=Users,DC=FOUR,DC=loc" credentials="??????????????????????" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=manager,dc=ldapproxy-pre,dc=local" overlay rwm
################################### # # Entrada LDAP para FIVE # ################################### uri "ldap://1.2.3.5/ou=FIVE,ou=Usuarios,dc=ldapproxy-pre,dc=local" readonly yes lastmod off suffixmassage "ou=FIVE,ou=Usuarios,dc=ldapproxy-pre,dc=local" "dc=FIVE,dc=local" idassert-bind bindmethod=simple binddn="CN=USERFIVE,CN=Users,DC=FIVE,DC=local" credentials="???????????????????" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=manager,dc=ldapproxy-pre,dc=local" overlay rwm
Le 09/05/2019 à 12:10, David Sanchez Herrero a écrit :
Hello all,
I'm having an issue with the configuration of an OpenLDAP working as a proxy to various Active Directory backends. The OpenLDAP proxy is in our network and we have various VPN to connect it to the remote Windows Domain Controllers (5 remote Domain Controlers of different customers, each one managing it's own domain).
To configure the proxy, we use de META database.
When all the Domain Controllers are up, everything works fine, but when one of then goes down (network problems, a machine reboot, etc.), the web app that uses the OpenLDAP proxy stops autheticating all users of all domains. The system process it's even hanged and when you try to stop or restart the service, it takes a long time to respond. I can't find a way to force a short timeout to ignore the offline DC and let the users of the other domains to continue working.
The server OS is CentOS Linux release 7.4.1708 (Core), and the OpenLDAP version 2.4.44.
To check if this is an issue of this old version, I have deployed another server with Fedora 30 and OpenLDAP 2.4.47, but same behaviour, so it's probably a configuration problem.
Below are the slapd.conf file I'm using (with no private data). Any ideas about what to change in the configuration file?
Thanks in advance and best regards, David.
Hello David,
you should try to configure some timeout to cut connections to failing AD. From "man slapd-meta" :
bind-timeout <microseconds> This directive defines the timeout, in microseconds, used when polling for response after an asynchronous bind connection. The initial call to ldap_result(3) is performed with a trade-off timeout of 100000 us; if that results in a timeout exceeded, subsequent calls use the value provided with bind-timeout. The default value is used also for subsequent calls if bind-timeout is not specified. If set before any target specification, it affects all targets, unless overridden by any per-target directive.
idle-timeout <time> This directive causes a cached connection to be dropped an recreated after it has been idle for the specified time. The value can be specified as
[<d>d][<h>h][<m>m][<s>[s]]
where <d>, <h>, <m> and <s> are respectively treated as days, hours, minutes and seconds. If set before any target specification, it affects all targets, unless overridden by any per-target directive.
keepalive <idle>:<probes>:<interval> The keepalive parameter sets the values of idle, probes, and interval used to check whether a socket is alive; idle is the number of seconds a connection needs to remain idle before TCP starts sending keepalive probes; probes is the maximum number of keepalive probes TCP should send before dropping the connection; interval is interval in seconds between individual keepalive probes. Only some systems support the customization of these values; the keepalive parameter is ignored otherwise, and system-wide settings are used.
network-timeout <time> Sets the network timeout value after which poll(2)/select(2) following a connect(2) returns in case of no activity. The value is in seconds, and it can be specified as for idle-timeout. If set before any target specification, it affects all targets, unless overridden by any per-target directive.
You can maybe give a try to "network-timeout" first.
openldap-technical@openldap.org
-
Clément OUDOT -
David Sanchez Herrero