Re: [nssldap] client timeout - update
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] client timeout - update
- From: Eric Ritchie <eritchie [at] interactivebrokers.com>
- To: Buchan Milne <bgmilne [at] staff.telkomsa.net>
- Cc: Howard Chu <hyc [at] highlandsun.com>, nssldap [at] padl.com
- Subject: Re: [nssldap] client timeout - update
- Date: Mon, 23 Jun 2008 16:23:50 -0400
Buchan Milne wrote:
On Wednesday 11 June 2008 17:03:23 Eric Ritchie wrote:
I'm using LDAP for passwd, group, automap and netgroup functions, it is
a replacement for NIS. When the OS is using LDAP for these functions,
such as id or finger, it uses /lib/libnss_ldap.so and the /etc/ldap.conf
file. When I run any of the ldap commands, such as ldapsearch, it uses
/usr/lib/libldap and /etc/openldap/ldap.conf. I'm more concerned with
the OS hanging when it tries to perform an LDAP lookup than ldapsearch
hanging. So I would need a newer libnss_ldap to take advantage of new
OpenLDAP features.
Most likely it would be sufficient to install newer OpenLDAP libraries, and
compile nss_ldap against the newer libraries.
OpenLDAP 2.4.10 NETWORK_TIMEOUT feature definitely works much better. I
installed the ldapsearch program and the client libraries. When I
shutdown a server, ldapsearch hangs for just a second and then connects
to the next server, before it would hang for a really long time.
Recompiling nss_ldap is a little over my head. I tried downloading
nss_ldap from PADL and compiling it with the latest LDAP libraries but
its still ignoring the NETWORK_TIMEOUT setting. If I set bind_timelimit
to 1, there is still about a 10 second delay when the OS is querying
LDAP, it doesn't seem to matter if I set bind_policy to soft, getting
nss_ldap to support the new NETWORK_TIMEOUT would really help.
Eric
However, in my case, bind_policy soft is sufficient to prevent problems when a
server "fails" (well, more often the client's networking isn't correctly
configured). But, if the client can't reach the server (bad routing, firewall
dropping packets instead of denying), then I would expect the behaviour you
are seeing, or if the LDAP server were to hang on an open connection (but I
haven't seen that in a few years).
Regards,
Buchan
--
Eric Ritchie
Interactive Brokers LLC
203-618-5868