Red Hat Bugzilla – Bug 475726
saslauthd: very slow network failure detection
Last modified: 2009-09-02 06:12:57 EDT
Description of problem:
When saslauthd is configured to have two ldap servers, say ldap1
and ldap2, and network connection to ldap1 is down after link
between saslauthd and ldap1 is established, it takes about 15 minutes
for saslauthd to detect the network down and start connecting to ldap2 --
it responds to all the authentication requests with user unknown
in the meanwhile.
Version-Release number of selected component (if applicable):
cyrus-sasl-2.1.22-4 in RHEL5.2
Steps to Reproduce:
1. set up two ldap servers, say ldap1 and ldap2
ldap1 ldap2 auth
| | |
2. configure saslauthd on another server as follows:
ldap_servers: ldap://ldap1 ldap://ldap2
3. start saslauthd with "-a ldap" option
4. authenticate some requests
5. unplug ldap1 from the network
6. authenticate some more requests
Authentication attempts fails with user unknown error
for more than 10 minutes.
saslauthd resumes authenticating requests after
We've tracked down the problem to the version of OpenLDAP (2.3.27)
that doesn't do setsockopt(SO_KEEPALIVE) nor does it honor
LDAP_OPT_TIMEOUT option in ldap_result().
OpenLDAP 2.4 has fixed these problems, and the fix for SO_KEEPALIVE has
been there since 2.3.28, just one revision ahead of the one in RHEL5,
but we still need a little bit of help from saslauthd,
i.e. ldap_set_option(LDAP_OPT_TIMEOUT). A patch proposal is attached.
Created attachment 326452 [details]
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.