[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: LDAP Proxy Timeout Values
Would it matter that our suffixes are nested?
Example:
DB 1:
suffix "ou=sample4,dc=sample3,dc=sample2,dc=sample1"
DB 2:
suffix "dc=sample3,dc=sample2,dc=sample1"
AD Server:
suffix "dc=sample2,dc=sample1"
So, if the server doing 'suffix "dc=sample2,dc=sample1"' goes down, would the other 2 be affected?
Thanks
- Jack
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Wednesday, June 04, 2014 8:51 AM
To: Jack Kielsmeier; openldap-technical@openldap.org
Subject: Re: LDAP Proxy Timeout Values
Jack Kielsmeier wrote:
> Interesting.
>
> So you basically have some sort of script that checks responsiveness. If none, it reconfigures slapd.conf and restarts the process? Seems like quite a bandaid, but it'd work.
>
> -----Original Message-----
> From: openldap-technical-bounces@OpenLDAP.org
> [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Liam
> Gretton
> Sent: Tuesday, June 03, 2014 2:12 PM
> To: openldap-technical@openldap.org
> Subject: Re: LDAP Proxy Timeout Values
>
> On 03/06/2014 16:34, Jack Kielsmeier wrote:
>> We are running OpenLDAP 2.4.23. Part of our implementation proxies to
>> an
Active Directory server. Whenever connectivity to the AD server is interrupted, queries to the non-proxied portion of our implementation take a very long time and cause many issues with querying services.
Based on the config info you provided, I don't see how that's possible. You have 3 database sections of note, and they are all independent. Queries to any of the first two databases cannot be affected by anything in the back-ldap database, unless you've deleted something crucial from the censored config you sent.
The doc sections you quote are not relevant, I suggest you re-read the
slapd-ldap(5) manpage more carefully.
> I reported a similar issue a couple of years ago:
Your issue was reported against back-meta, this post is about back-ldap. The configurations are not similar at all.
>
> http://www.openldap.org/its/index.cgi/Incoming?id=7372;selectid=7372
>
> That was with 2.4.32. I don't think it's been fixed since, but I've
> worked
around it with a slightly unpleasant out-of-band check on our domain controllers which reconfigures OpenLDAP when it detects a DC going out of service.
From what I see in the mailing list archives, there was nothing to fix. The timeouts all worked as designed when tested locally.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/