Failover for ldapdb doesn't work when packets are dropped by iptables
Sebastian Hagedorn
Hagedorn at uni-koeln.de
Mon May 15 08:30:32 EDT 2017
Hi,
we're trying to move from auxprop sasldb to ldapdb. Everything is working
fine with both cyrus-imapd and sendmail. Even failover seems to be working
(with multiple entries for ldapdb_uri), but only if the client gets a
reject of some sort. Initially I tried to simulate the failure of the
primary LDAP server with an iptables rule that dropped the packets. That
led to a 30 second timeout and no failover taking place:
~> AUTH DIGEST-MD5
<~ 334 xxx
~> xxx
<~* Timeout (30 secs) waiting for server response
*** No authentication type succeeded
Only when I changed the DROP to a REJECT in the iptables rule did the
failover work as expected. I realize that a server that's down usually
behaves like a REJECT rule, but I still would think that there should be a
configurable timeout after which a failover takes place in the DROP
scenario as well. In my 15+ years as a sysadmin there have been several
occasions where servers were nominally running but didn't reply anymore,
which would be just like that scenario.
Thoughts? Am I overlooking something?
Cheers
Sebastian
--
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:.
.:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20170515/f426080f/attachment.sig>
More information about the Cyrus-sasl
mailing list