Failover for ldapdb doesn't work when packets are dropped by iptables

Sebastian Hagedorn Hagedorn at uni-koeln.de
Mon May 15 08:30:32 EDT 2017


Hi,

we're trying to move from auxprop sasldb to ldapdb. Everything is working 
fine with both cyrus-imapd and sendmail. Even failover seems to be working 
(with multiple entries for ldapdb_uri), but only if the client gets a 
reject of some sort. Initially I tried to simulate the failure of the 
primary LDAP server with an iptables rule that dropped the packets. That 
led to a 30 second timeout and no failover taking place:

 ~> AUTH DIGEST-MD5
<~  334 xxx
 ~> xxx
<~* Timeout (30 secs) waiting for server response
*** No authentication type succeeded

Only when I changed the DROP to a REJECT in the iptables rule did the 
failover work as expected. I realize that a server that's down usually 
behaves like a REJECT rule, but I still would think that there should be a 
configurable timeout after which a failover takes place in the DROP 
scenario as well. In my 15+ years as a sysadmin there have been several 
occasions where servers were nominally running but didn't reply anymore, 
which would be just like that scenario.

Thoughts? Am I overlooking something?

Cheers
Sebastian
-- 
    .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
                 .:.Regionales Rechenzentrum (RRZK).:.
   .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20170515/f426080f/attachment.sig>


More information about the Cyrus-sasl mailing list