[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP Proxy Timeout Values

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: LDAP Proxy Timeout Values
From: Jack Kielsmeier <JKielsmeier@lightedge.com>
Date: Wed, 4 Jun 2014 14:25:54 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <538F245D.1040403@symas.com>
References: <F945C99256B6D44E8E8F5C51580287B6192261@cdalnex02.cd.ent.corp> <538E1E0E.3000400@leicester.ac.uk> <F945C99256B6D44E8E8F5C51580287B6192992@cdalnex02.cd.ent.corp> <538F245D.1040403@symas.com>
Thread-index: Ac9/QS1ASDaMRyvuQEWt/OuwFPodqgASHXMAABrqWJAADCvwgAAJdWbQ
Thread-topic: LDAP Proxy Timeout Values

Would it matter that our suffixes are nested?

Example:

DB 1:
suffix "ou=sample4,dc=sample3,dc=sample2,dc=sample1"

DB 2:
suffix "dc=sample3,dc=sample2,dc=sample1"

AD Server:
suffix "dc=sample2,dc=sample1"

So, if the server doing 'suffix "dc=sample2,dc=sample1"' goes down, would the other 2 be affected?

Thanks

- Jack

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Wednesday, June 04, 2014 8:51 AM
To: Jack Kielsmeier; openldap-technical@openldap.org
Subject: Re: LDAP Proxy Timeout Values

Jack Kielsmeier wrote:
> Interesting.
>
> So you basically have some sort of script that checks responsiveness. If none, it reconfigures slapd.conf and restarts the process? Seems like quite a bandaid, but it'd work.
>
> -----Original Message-----
> From: openldap-technical-bounces@OpenLDAP.org 
> [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Liam 
> Gretton
> Sent: Tuesday, June 03, 2014 2:12 PM
> To: openldap-technical@openldap.org
> Subject: Re: LDAP Proxy Timeout Values
>
> On 03/06/2014 16:34, Jack Kielsmeier wrote:
>> We are running OpenLDAP 2.4.23. Part of our implementation proxies to 
>> an
Active Directory server. Whenever connectivity to the AD server is interrupted, queries to the non-proxied portion of our implementation take a very long time and cause many issues with querying services.

Based on the config info you provided, I don't see how that's possible. You have 3 database sections of note, and they are all independent. Queries to any of the first two databases cannot be affected by anything in the back-ldap database, unless you've deleted something crucial from the censored config you sent.

The doc sections you quote are not relevant, I suggest you re-read the
slapd-ldap(5) manpage more carefully.

> I reported a similar issue a couple of years ago:

Your issue was reported against back-meta, this post is about back-ldap. The configurations are not similar at all.
>
> http://www.openldap.org/its/index.cgi/Incoming?id=7372;selectid=7372
>
> That was with 2.4.32. I don't think it's been fixed since, but I've 
> worked
around it with a slightly unpleasant out-of-band check on our domain controllers which reconfigures OpenLDAP when it detects a DC going out of service.

 From what I see in the mailing list archives, there was nothing to fix. The timeouts all worked as designed when tested locally.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- LDAP Proxy Timeout Values
  - From: Jack Kielsmeier <JKielsmeier@lightedge.com>
- Re: LDAP Proxy Timeout Values
  - From: Liam Gretton <liam.gretton@leicester.ac.uk>
- RE: LDAP Proxy Timeout Values
  - From: Jack Kielsmeier <JKielsmeier@lightedge.com>
- Re: LDAP Proxy Timeout Values
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: LDAP Proxy Timeout Values
Next by Date: LMDB and multiple processes
Index(es):
- Chronological
- Thread