Failover for ldapdb doesn't work when packets are dropped by iptables

Dieter Kluenter dieter at dkluenter.de
Mon May 15 11:12:02 EDT 2017


Sebastian Hagedorn <Hagedorn at uni-koeln.de> writes:

> --On 15. Mai 2017 um 08:38:09 -0500 Dan White <dwhite at olp.net> wrote:
>
>> On 05/15/17 14:30 +0200, Sebastian Hagedorn wrote:
>>> we're trying to move from auxprop sasldb to ldapdb. Everything is
>>> working fine with both cyrus-imapd and sendmail. Even failover seems
>>> to be working (with multiple entries for ldapdb_uri), but only if the
>>> client gets a reject of some sort. Initially I tried to simulate the
>>> failure of the primary LDAP server with an iptables rule that dropped
>>> the packets. That led to a 30 second timeout and no failover taking
>>> place:
>>>
>>> ~> AUTH DIGEST-MD5
>>> <~  334 xxx
>>> ~> xxx
>>> <~* Timeout (30 secs) waiting for server response
>>> *** No authentication type succeeded
>>>
>>> Only when I changed the DROP to a REJECT in the iptables rule did the
>>> failover work as expected. I realize that a server that's down usually
>>> behaves like a REJECT rule, but I still would think that there should
>>> be a configurable timeout after which a failover takes place in the
>>> DROP scenario as well. In my 15+ years as a sysadmin there have been
>>> several occasions where servers were nominally running but didn't
>>> reply anymore, which would be just like that scenario.
>>
>> You can limit the network timeout functionality of the ldapdb plugin using
>> the ldapdb_rc sasl option:
>>
>> http://www.sendmail.org/~ca/email/cyrus2/options.html
>>
>> See ldap.conf(5) and it's TIMEOUT/TIMELIMIT options.
>
> Thanks, but that doesn't seem to work either. I added the following
> line to Sendmail.conf:
>
> ldapdb_rc: /etc/sasl2/ldap.rc
>
> $ Cat /etc/sasl2/ldap.rc
> TIMEOUT 2
> TIMELIMIT 2
> NETWORK_TIMEOUT 2
>
> I restarted sendmail, but I still get the 30 second timeout.

This is a SASL operation, but Sendmail may act as a ldap client as well,
thus reading ldap.conf(5), which defaults to 30 sec.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20170515/386bf4a8/attachment.sig>


More information about the Cyrus-sasl mailing list