Failover for ldapdb doesn't work when packets are dropped by iptables

[Dan White]

On 05/15/17 14:30 +0200, Sebastian Hagedorn wrote:
>we're trying to move from auxprop sasldb to ldapdb. Everything is 
>working fine with both cyrus-imapd and sendmail. Even failover seems 
>to be working (with multiple entries for ldapdb_uri), but only if the 
>client gets a reject of some sort. Initially I tried to simulate the 
>failure of the primary LDAP server with an iptables rule that dropped 
>the packets. That led to a 30 second timeout and no failover taking 
>place:
>
>~> AUTH DIGEST-MD5
><~  334 xxx
>~> xxx
><~* Timeout (30 secs) waiting for server response
>*** No authentication type succeeded
>
>Only when I changed the DROP to a REJECT in the iptables rule did the 
>failover work as expected. I realize that a server that's down usually 
>behaves like a REJECT rule, but I still would think that there should 
>be a configurable timeout after which a failover takes place in the 
>DROP scenario as well. In my 15+ years as a sysadmin there have been 
>several occasions where servers were nominally running but didn't 
>reply anymore, which would be just like that scenario.

You can limit the network timeout functionality of the ldapdb plugin using
the ldapdb_rc sasl option:

http://www.sendmail.org/~ca/email/cyrus2/options.html

See ldap.conf(5) and it's TIMEOUT/TIMELIMIT options.

-- 
Dan White