[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta doesn't continue with multiple uri's

Liam Gretton wrote:
> On 23/08/2012 11:18, Howard Chu wrote:
> > Your description of your procedure is so vague and imprecise it's
> > difficult for anybody to decipher what you're talking about.
> > 
> > Reading back thru the several posts in this thread, what I see you
> > saying is that you have tested a few different configurations:
> > 
> > 1) target host is up, target LDAP server is down
> > 
> >      this should fail immediately because the host OS will
> >      immediately send a
> > 
> > TCP Connection Refused response
> > 
> > 2) target host is initially down
> > 
> >      this will not fail until the first TCP connect request times
> >      out
> > 
> > 3) target host is initially up and connected, but thru your
> > iptables manipulation you sever the link
> > 
> >      this will not fail until the TCP connection times out, which
> >      it won't
> > 
> > unless you're using TCP Keepalives, and by default those are only
> > sent once every 2 hours.
> 
> Let me make it less vague then.
> 
> What I've been trying to simulate are the various modes by which a
> uri target will become unavailable. What I'm trying to achieve is to
> have the meta backend point to four domain controllers and cope with
> one or more DCs being unavailable.
> 
> Having gone through this and let the system time out each time, I've
> found it does fail over under one of the conditions listed below, but
> it takes about 15 minutes to do so.
> 
> 
> Scenarios:
> 
> 1. slapd starts, first target is unreachable;
> 
> 2. slapd starts, first target is reachable but has no service
> running;
> 
> 3. slapd already running, first target up and connected then later
> becomes unreachable.
> 
> 
> Simulations:
> 
> a. 'Unreachable' simulated by blocking outbound access with the
> following iptables rule:
> 
>     iptables -A OUTPUT -d host1 -j DROP
> 
> b. 'Unreachable' simulated making the first target a host that is up
> but with no service running.
> 
> 
> Results (all with 2.4.32):
> 
> Case 1a: slapd retries host1 continuously and times out after about
> 180s. No attempt is made to contact additional targets.
> 
> Case 2b: slapd retries host1 continuously and times out after about
> 180s. No attempt is made to contact additional targets.
> 
> Case 3a: slapd retries host1 continuously, doubling an internal
> timeout value each time, eventually timing out after 19 retries and
> about 15m. It does then fall through to host2 and subsequent
> connections don't attempt to contact host1.
> 
> Here's my config. I've also tried setting nretries explicitly to 3,
> but it makes no difference.
> 
> 
> database            meta
> suffix              dc=local
> rootdn              cn=administrator,dc=local
> rootpw              secret
> 
> network-timeout     1
> 
> uri                 ldap://host1:3268/ou=dc1,dc=local
>                      ldap://host2:3268/
>                      ldap://host3:3268/
> 
> suffixmassage       "ou=dc1,dc=local" "dc=example,dc=com"
> 
> idassert-bind       bindmethod=simple
>                      binddn="cn=proxyuser,dc=example,dc=com"
>                      credentials="password"
> 
> idassert-authzfrom  "dn.exact:cn=administrator,dc=local"
> 
> 
> These results suggest to me that network-timeout and nretries (which
> should default to 3) don't work as documented.
I am really not astonished about your results.
Run your tests again, but use "reject" as iptables target.

"drop" means, that you never ever get an answer.

> Having said that, it does seem to at least cope with scenario 3,
> albeit with a long timeout.
> 
> Ideally it'd work in all cases. Pierangelo says the failover works
> when connect() times out, but I'd have thought that would include
> scenarios 1 and 2 but not 3.


-- 

Harry Jede