Le 09/05/2019 à 12:10, David Sanchez Herrero a écrit : > Hello all, > > I'm having an issue with the configuration of an OpenLDAP working as a > proxy to various Active Directory backends. The OpenLDAP proxy is in > our network > and we have various VPN to connect it to the remote Windows Domain > Controllers (5 remote Domain Controlers of different customers, each > one managing it's own domain). > > To configure the proxy, we use de META database. > > When all the Domain Controllers are up, everything works fine, but > when one of then goes down (network problems, a machine reboot, etc.), > the web app that uses the OpenLDAP proxy > stops autheticating all users of all domains. The system process it's > even hanged and when you try to stop or restart the service, > it takes a long time to respond. I can't find a way to force a short > timeout to ignore the offline DC and let the users of the other > domains to continue working. > > The server OS is CentOS Linux release 7.4.1708 (Core), and the > OpenLDAP version 2.4.44. > > To check if this is an issue of this old version, I have deployed > another server with Fedora 30 and OpenLDAP 2.4.47, but same behaviour, > so it's probably a configuration problem. > > Below are the slapd.conf file I'm using (with no private data). Any > ideas about what to change in the configuration file? > > Thanks in advance and best regards, David.
Hello David, you should try to configure some timeout to cut connections to failing AD. From "man slapd-meta" : bind-timeout <microseconds> This directive defines the timeout, in microseconds, used when polling for response after an asynchronous bind connection. The initial call to ldap_result(3) is performed with a trade-off timeout of 100000 us; if that results in a timeout exceeded, subsequent calls use the value provided with bind-timeout. The default value is used also for subsequent calls if bind-timeout is not specified. If set before any target specification, it affects all targets, unless overridden by any per-target directive. idle-timeout <time> This directive causes a cached connection to be dropped an recreated after it has been idle for the specified time. The value can be specified as [<d>d][<h>h][<m>m][<s>[s]] where <d>, <h>, <m> and <s> are respectively treated as days, hours, minutes and seconds. If set before any target specification, it affects all targets, unless overridden by any per-target directive. keepalive <idle>:<probes>:<interval> The keepalive parameter sets the values of idle, probes, and interval used to check whether a socket is alive; idle is the number of seconds a connection needs to remain idle before TCP starts sending keepalive probes; probes is the maximum number of keepalive probes TCP should send before dropping the connection; interval is interval in seconds between individual keepalive probes. Only some systems support the customization of these values; the keepalive parameter is ignored otherwise, and system-wide settings are used. network-timeout <time> Sets the network timeout value after which poll(2)/select(2) following a connect(2) returns in case of no activity. The value is in seconds, and it can be specified as for idle-timeout. If set before any target specification, it affects all targets, unless overridden by any per-target directive. You can maybe give a try to "network-timeout" first. -- Clément Oudot | Identity Solutions Manager [email protected] Worteks | https://www.worteks.com
