Re: Failover for ldapdb doesn't work when packets are dropped by iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 05/15/17 14:30 +0200, Sebastian Hagedorn wrote:
we're trying to move from auxprop sasldb to ldapdb. Everything is working fine with both cyrus-imapd and sendmail. Even failover seems to be working (with multiple entries for ldapdb_uri), but only if the client gets a reject of some sort. Initially I tried to simulate the failure of the primary LDAP server with an iptables rule that dropped the packets. That led to a 30 second timeout and no failover taking place:

<~  334 xxx
~> xxx
<~* Timeout (30 secs) waiting for server response
*** No authentication type succeeded

Only when I changed the DROP to a REJECT in the iptables rule did the failover work as expected. I realize that a server that's down usually behaves like a REJECT rule, but I still would think that there should be a configurable timeout after which a failover takes place in the DROP scenario as well. In my 15+ years as a sysadmin there have been several occasions where servers were nominally running but didn't reply anymore, which would be just like that scenario.

You can limit the network timeout functionality of the ldapdb plugin using
the ldapdb_rc sasl option:

See ldap.conf(5) and it's TIMEOUT/TIMELIMIT options.

Dan White

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux