On Sat, Nov 02, 2002 at 08:19:32PM -0500, Sam Varshavchik wrote:
> > Is there any way that courier-imap can be configured to access more than
> > one LDAP server, so that if the primary server should fail, courier will
> > failover to a secondary (or a tertiary)?
>
> In authldaprc, specify a comma-separated list of LDAP servers for
> LDAP_SERVER.
Interesting, I never noticed before that ldap_init() can take a list of
hosts (the manpage says space separated). Just tried it though, and it
doesn't work usefully for me. I set:
LDAP_SERVER 1.2.3.4,<real-LDAP-server>
Attempting to login via POP3 just gave authentication failures. Looking at
netstat, I can see sockets in SYN_SENT state trying to contact the fake
server, which after 75 seconds change to ESTABLISHED to the real server -
but further authentications create additional sockets in SYN_SENT.
I am doing authentication by means of LDAP_AUTHBIND which looks like the
main problem here, since each authentication makes a new connection, after
the initial search for the user record. Courier is linked against
openldap-2.0.27, and the server is openldap-2.0.25
I had a play with setting option LDAP_OPT_NETWORK_TIMEOUT. Since the time
from login to -ERR takes 20 seconds, and I know there is a 5 second sleep
after failures, then it looks like there is a 15 second master
authentication timeout. So I tried setting the LDAP connection timeout to 7
seconds at the end of ldapconnect:
{
struct timeval v = {7L,0L};
ldap_set_option(p, LDAP_OPT_NETWORK_TIMEOUT, &v);
}
That gives response time of 14 seconds on the first POP3 connection (search
7 seconds, bind 7 seconds) and 7 seconds on the next one. That's not ideal
because 5 authdaemons will be able to handle less than 1 login per second
between them while the primary LDAP server is down, but it's an improvement.
Perhaps the simplest way to deal with this properly is to use a persistent
connection for AUTHBIND - i.e. using the LDAPv3 feature that the same
connection can bind repeatedly, rather than opening a new connection each
time.
Otherwise, authldap would have to keep track of which servers are "down" and
"up", which right now it delegates to ldap_init().
As an aside, here's another thought about AUTHBIND. I always thought it
would be a good idea if SASL authentications could be proxied through to the
LDAP server: this would give you the best of both worlds (the ability to use
SASL binds, without having to reveal cleartext passwords to the POP3
server). Looking at the OpenLDAP header files, it looks like there is a
function which could be used for this: ldap_sasl_interactive_bind_s. I don't
know how difficult it would be to hook this into the authlib/authdaemon
structure though.
Regards,
Brian.
-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
