On 05/15/17 14:30 +0200, Sebastian Hagedorn wrote:
we're trying to move from auxprop sasldb to ldapdb. Everything is
working fine with both cyrus-imapd and sendmail. Even failover seems
to be working (with multiple entries for ldapdb_uri), but only if the
client gets a reject of some sort. Initially I tried to simulate the
failure of the primary LDAP server with an iptables rule that dropped
the packets. That led to a 30 second timeout and no failover taking
place:
~> AUTH DIGEST-MD5
<~ 334 xxx
~> xxx
<~* Timeout (30 secs) waiting for server response
*** No authentication type succeeded
Only when I changed the DROP to a REJECT in the iptables rule did the
failover work as expected. I realize that a server that's down usually
behaves like a REJECT rule, but I still would think that there should
be a configurable timeout after which a failover takes place in the
DROP scenario as well. In my 15+ years as a sysadmin there have been
several occasions where servers were nominally running but didn't
reply anymore, which would be just like that scenario.
You can limit the network timeout functionality of the ldapdb plugin using
the ldapdb_rc sasl option:
http://www.sendmail.org/~ca/email/cyrus2/options.html
See ldap.conf(5) and it's TIMEOUT/TIMELIMIT options.
--
Dan White
