[Date Prev][Date Next]
Re: OpenLDAP -> Active Directory occasionally takes 60 seconds to return query results??
James Garrison wrote:
Apologies if this is a duplicate post. I never saw it on the list
and it's not in the list archive at openldap.org.
I have an interesting problem and before I go over to the Microsoft
Active Directory groups I want to eliminate OpenLDAP as the culprit.
I have Postfix configured to verify recipients in Active Directory
using OpenLDAP (Postfix and OpenLDAP running on Fedora Core 2). 99.5%
of the time, the Active Directory server responds to LDAP Search
Requests within 1 millisecond (based on an Ethereal trace).
Every once in a while, the response takes 60-70 seconds. What I see
in the Ethereal trace then is a series of TCP-level retransmissions
followed by an LDAP "Abandon Request" packet. This is followed by
two more TCP-level retransmissions of the search request. Fifteen
seconds after the LDAP "Abandon Request", the client receives a TCP
ACK packet for the Abandon, followed immediately by the response
(with ACK) to the original Search Request. The client (OpenLDAP)
then RSTs the connection. PostFix treats all this as a "temporary
lookup failure". The symptoms point to something causing a long
delay in packet transmission (without actual packet loss) since the
retransmission is happening in the TCP layer and the A/D server
eventually responds to the original Search Request.
1) Has anyone seen this behavior?
Don't recall, no.
2) I seriously doubt OpenLDAP has anything to do with the problem.
Anyone believe otherwise, and if so, why?
No, if you're getting TCP-level retransmits then it is by definition a
transport problem or lower, not application level.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support