Would it matter that our suffixes are nested? Example:
DB 1: suffix "ou=sample4,dc=sample3,dc=sample2,dc=sample1" DB 2: suffix "dc=sample3,dc=sample2,dc=sample1" AD Server: suffix "dc=sample2,dc=sample1" So, if the server doing 'suffix "dc=sample2,dc=sample1"' goes down, would the other 2 be affected? Thanks - Jack -----Original Message----- From: Howard Chu [mailto:[email protected]] Sent: Wednesday, June 04, 2014 8:51 AM To: Jack Kielsmeier; [email protected] Subject: Re: LDAP Proxy Timeout Values Jack Kielsmeier wrote: > Interesting. > > So you basically have some sort of script that checks responsiveness. If > none, it reconfigures slapd.conf and restarts the process? Seems like quite a > bandaid, but it'd work. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Liam > Gretton > Sent: Tuesday, June 03, 2014 2:12 PM > To: [email protected] > Subject: Re: LDAP Proxy Timeout Values > > On 03/06/2014 16:34, Jack Kielsmeier wrote: >> We are running OpenLDAP 2.4.23. Part of our implementation proxies to >> an Active Directory server. Whenever connectivity to the AD server is interrupted, queries to the non-proxied portion of our implementation take a very long time and cause many issues with querying services. Based on the config info you provided, I don't see how that's possible. You have 3 database sections of note, and they are all independent. Queries to any of the first two databases cannot be affected by anything in the back-ldap database, unless you've deleted something crucial from the censored config you sent. The doc sections you quote are not relevant, I suggest you re-read the slapd-ldap(5) manpage more carefully. > I reported a similar issue a couple of years ago: Your issue was reported against back-meta, this post is about back-ldap. The configurations are not similar at all. > > http://www.openldap.org/its/index.cgi/Incoming?id=7372;selectid=7372 > > That was with 2.4.32. I don't think it's been fixed since, but I've > worked around it with a slightly unpleasant out-of-band check on our domain controllers which reconfigures OpenLDAP when it detects a DC going out of service. From what I see in the mailing list archives, there was nothing to fix. The timeouts all worked as designed when tested locally. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
