[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP -> Active Directory occasionally takes 60 seconds to return query results??

James Garrison wrote:
 Apologies if this is a duplicate post.  I never saw it on the list
 and it's not in the list archive at openldap.org.

 I have an interesting problem and before I go over to the Microsoft
 Active Directory groups I want to eliminate OpenLDAP as the culprit.

 I have Postfix configured to verify recipients in Active Directory
 using OpenLDAP (Postfix and OpenLDAP running on Fedora Core 2). 99.5%
 of the time, the Active Directory server responds to LDAP Search
 Requests within 1 millisecond (based on an Ethereal trace).

 Every once in a while, the response takes 60-70 seconds.  What I see
 in the Ethereal trace then is a series of TCP-level retransmissions
 followed by an LDAP "Abandon Request" packet.  This is followed by
 two more TCP-level retransmissions of the search request.  Fifteen
 seconds after the LDAP "Abandon Request", the client receives a TCP
 ACK packet for the Abandon, followed immediately by the response
 (with ACK) to the original Search Request.  The client (OpenLDAP)
 then RSTs the connection.  PostFix treats all this as a "temporary
 lookup failure".  The symptoms point to something causing a long
 delay in packet transmission (without actual packet loss) since the
 retransmission is happening in the TCP layer and the A/D server
 eventually responds to the original Search Request.


1) Has anyone seen this behavior?

Don't recall, no.

2) I seriously doubt OpenLDAP has anything to do with the problem. Anyone believe otherwise, and if so, why?

No, if you're getting TCP-level retransmits then it is by definition a transport problem or lower, not application level.

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support