Re: [courier-users] Recommendations for fixing Inherited IMAP/POP to LDAP weirdness

Thu, 20 Jan 2005 04:22:15 -0800 

Jack Stewart writes:

Hi,

I have a few quick questions and will follow with the interesting context.

What is the correct or recommended way to set up, and recommended settings, for Courier IMAP/POP authentication to redundant LDAP servers?

It seems that the Authorization Daemons for Courier have persistent connections to the LDAP server - under what conditions are these persistent connections torn down? 

Inactivity.  I think two or five minutes of nonuse.

Are there settings to ensure they get torn down on a relatively regular basis?

How can Courier make use of redundant LDAP servers? Will it fail over to the next server? Given the persistent connections, does it make the most sense to rotate the order of the LDAP servers in the multiple IMAP/POP machines for load balancing?

Is it possible to compile the IMAP/POP servers so that they use the native LDAP authentication (i.e. Open LDAP)? 

That's what they do.  Courier-IMAP builds against OpenLDAP.

Now for the context:

We have redundant LDAP servers (iPlanet LDAP servers with master/master configuration)

    + Two LDAP servers are accessed via a load balancer
    + Relatively recent instances of the Courier IMAP/POP servers (3.0.2)


That's about a year old.  Not really recent, in Internet time.

+ Authentication for our IMAP/POP servers is run through the custom (i.e. PAM) modules which in turn authenticates via LDAP
+ Multiple IMAP (4)/ POP (2) machines

This resulted in a mess when one of the LDAP servers went down. The symptom was IMAP/POP would have intermittent authentication problems even after both servers were up and running. We were able to eventually track it down to persistent Authdaemon connections that were pointed (via PAM & load balancer) to ports that no longer existed.

Well, when the LDAP server goes down, all active connections would break. This would result in some intermittent authentication failures, but the connections should be reestablished fairly quickly.

This is to be expected.

There is some code that tries to recover a dead connection immediately, but with load balancers thrown in the mix it's not clear if it will work correctly.




Attachment:
pgpv37pPGpJmn.pgp

Description: PGP signature

Reply via email to