Failover for ldapdb doesn't work when packets are dropped by iptables

Dan White dwhite at olp.net
Mon May 15 11:14:22 EDT 2017


On 05/15/17 16:45 +0200, Sebastian Hagedorn wrote:
>--On 15. Mai 2017 um 08:38:09 -0500 Dan White <dwhite at olp.net> wrote:
>
>>On 05/15/17 14:30 +0200, Sebastian Hagedorn wrote:
>>>we're trying to move from auxprop sasldb to ldapdb. Everything is
>>>working fine with both cyrus-imapd and sendmail. Even failover seems
>>>to be working (with multiple entries for ldapdb_uri), but only if the
>>>client gets a reject of some sort. Initially I tried to simulate the
>>>failure of the primary LDAP server with an iptables rule that dropped
>>>the packets. That led to a 30 second timeout and no failover taking
>>>place:
>>
>>You can limit the network timeout functionality of the ldapdb plugin using
>>the ldapdb_rc sasl option:
>>
>>http://www.sendmail.org/~ca/email/cyrus2/options.html
>>
>>See ldap.conf(5) and it's TIMEOUT/TIMELIMIT options.
>
>Thanks, but that doesn't seem to work either. I added the following 
>line to Sendmail.conf:
>
>ldapdb_rc: /etc/sasl2/ldap.rc
>
>$ cat /etc/sasl2/ldap.rc
>TIMEOUT 2
>TIMELIMIT 2
>NETWORK_TIMEOUT 2
>
>I restarted sendmail, but I still get the 30 second timeout.

Note from the manpage:

"The LDAPRC, if defined, should be the basename of a file in the current
working directory or in the user's home directory."

Alternatively, you could define the options in your global ldap.conf.

-- 
Dan White


More information about the Cyrus-sasl mailing list