LDAP Proxy Timeout Values

Tue, 03 Jun 2014 08:47:40 -0700 

Hello,

We are running OpenLDAP 2.4.23. Part of our implementation proxies to an Active 
Directory server. Whenever connectivity to the AD server is interrupted, 
queries to the non-proxied portion of our implementation take a very long time 
and cause many issues with querying services.

I have been looking at timeout options for both slapd.conf and ldap.conf and I 
have found the following:

ldap.conf:

       NETWORK_TIMEOUT <integer>
              Specifies the timeout (in seconds) after which the 
poll(2)/select(2) following a connect(2) returns in case of no activity.

       TIMEOUT <integer>
              Specifies a timeout (in seconds) after which calls to synchronous 
LDAP APIs will abort if no response is received.  Also used  for
              any ldap_result(3) calls where a NULL timeout parameter is 
supplied.

slapd.conf:

       idletimeout <integer>
              Specify the number of seconds to wait before forcibly closing an 
idle client connection.  A idletimeout of 0 disables this feature.   The
              default is 0. You may also want to set the writetimeout option.

       writetimeout <integer>
              Specify  the  number of seconds to wait before forcibly closing a 
connection with an outstanding write. This allows recovery from various
              network hang conditions.  A writetimeout of 0 disables this 
feature.  The default is 0.

I am wondering which timeout values would be best to set in order to speed up 
queries when proxy connectivity is interrupted.  Perhaps there is something 
else wrong with our config that is causing this issue.

Our ldap.conf file is basically empty (so, using all default)

Our slapd.conf looks something like this (heavily edited to remove specific 
info):

##########BEGIN SLAPD.CONF##########

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/samba3.schema
include         /etc/openldap/schema/lockfile.schema
include         /etc/openldap/schema/yast.schema
include         /etc/openldap/schema/ldap2dns.schema
include         /etc/openldap/schema/radius.schema
include         /etc/openldap/schema/mail.schema

loglevel 256

allow bind_v2

sasl-host [REMOVED]
sasl-realm [REMOVED]

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib64/openldap
moduleload      rwm

tool-threads 2

#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCACertificatePath /etc/ssl/certs/
#TLSCertificateFile [REMOVED]
#TLSCertificateKeyFile [REMOVED]
#TLSVerifyClient demand

access to attrs=[REMOVED]
        by anonymous [REMOVED]
        by * [REMOVED]

access to attrs=[REMOVED]
        by * [REMOVED]

access to [REMOVED]
        by * [REMOVED]

access to [REMOVED]
        by * [REMOVED]


database [REMOVED]
suffix "[REMOVED]"
checkpoint      20480 5
cachesize       100000
directory       [REMOVED]

dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_max 268435456
dbconfig set_lg_bsize 16777216
dbconfig set_lk_max_objects 5000
dbconfig set_lk_max_locks 5000
dbconfig set_lk_max_lockers 50000
dbconfig set_flags DB_LOG_AUTOREMOVE

index [REMOVED]
index [REMOVED]
index [REMOVED]



rootdn          [REMOVED]
rootpw          [REMOVED]
syncrepl rid=[REMOVED]
        provider=[REMOVED]
        type=refreshAndPersist
        retry="300 +"
        searchbase="[REMOVED]"
        filter="(objectClass=*)"
        sizelimit="unlimited"
        timelimit="unlimited"
        scope=sub
        schemachecking=off
        bindmethod=simple
        binddn="[REMOVED]"
        credentials=[REMOVED]


database [REMOVED]
suffix "[REMOVED]"
checkpoint      20480 5
cachesize       100000
directory       [REMOVED]

dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_max 268435456
dbconfig set_lg_bsize 16777216
dbconfig set_lk_max_objects 5000
dbconfig set_lk_max_locks 5000
dbconfig set_lk_max_lockers 50000
dbconfig set_flags DB_LOG_AUTOREMOVE

index [REMOVED]
index [REMOVED]
index [REMOVED]



rootdn          "[REMOVED]"
rootpw          [REMOVED]
syncrepl [REMOVED]
        provider=[REMOVED]
        type=refreshAndPersist
        retry="300 +"
        searchbase="[REMOVED]"
        filter="(objectClass=*)"
        sizelimit="unlimited"
        timelimit="unlimited"
        scope=sub
        schemachecking=off
        bindmethod=simple
        binddn="[REMOVED]"
        credentials=[REMOVED]


database ldap

suffix "[REMOVED]"
uri     "ldap:// [REMOVED]"
uri     "ldap:// [REMOVED]"

rebind-as-user
lastmod   off
chase-referrals yes

acl-bind
        bindmethod=simple
        binddn="[REMOVED]"
        credentials="[REMOVED]"
idassert-bind
        bindmethod=simple
        binddn="[REMOVED]"
        credentials="[REMOVED]"
        mode=none
        flags=prescriptive
idassert-authzFrom   "dn.regex:.*"

overlay rwm
rwm-map     attribute       [REMOVED]
rwm-map     attribute       [REMOVED]
rwm-map     attribute       [REMOVED]
rwm-map     attribute       [REMOVED]
rwm-map     attribute       [REMOVED]
rwm-map     attribute       [REMOVED]
rwm-map     objectclass     [REMOVED]
rwm-map     objectclass     [REMOVED]



database [REMOVED]

##########END SLAPD.CONF##########

Thank You

Reply via email to