Re: [courier-users] authldap failing randomly

[Sam Varshavchik]

Bowie Bailey writes:

Can you give me a bit of insight into how the authdaemon processes are
handling the LDAP connections?  Do they ever close them or do they
assume the connection will remain open indefinitely?  What I would
assume is this:

- Each process opens a connection and holds it open.
- When an authentication request comes in, it tries to use the
  connection.
- If it fails, the process generates a 450 error and then opens a new
  connection for the next request.

This would mean that whenever an authdaemon process is idle for more
than the LDAP timeout period, I should expect to get an error on the
next incoming email that attempts to use that process.  Is that
accurate?

diff -U3 -r1.53 authldaplib.c
--- authldaplib.c       1 Oct 2005 03:45:06 -0000       1.53
+++ authldaplib.c       27 Jan 2006 23:25:51 -0000
@@ -915,11 +915,30 @@

static char *escape_str(const char *);

+static int auth_ldap_retry(const char *service,
+                          const char *user, const char *pass,
+                          int (*callback)(struct authinfo *, void *),
+                          void *arg, const char *newpass);
+
static int auth_ldap_do(const char *service,
                        const char *user, const char *pass,
                        int (*callback)(struct authinfo *, void *),
                        void *arg, const char *newpass)
{
+       int rc=auth_ldap_retry(service, user, pass, callback, arg, newpass);
+
+       if (rc > 0)
+               rc=auth_ldap_retry(service, user, pass, callback, arg,
+                                  newpass);
+
+       return rc;
+}
+
+static int auth_ldap_retry(const char *service,
+                          const char *user, const char *pass,
+                          int (*callback)(struct authinfo *, void *),
+                          void *arg, const char *newpass)
+{
        char *q;
        int i;

That's pretty much it. When no authentication requests arrive for five minutes, all open LDAP connections are closed. For this to happen, though, absolutely nothing needs to happen for five minutes. The thing is that even if requests trickle in every once in a while, each request will go to only one daemon at random; the others will continue to remain idle and hold open connections. I'm curious if the following patch will work, try it with the timeout set back to 30 seconds:

pgpL0PA6XbH9s.pgp
Description: PGP signature