Description of problem: When saslauthd is configured to have two ldap servers, say ldap1 and ldap2, and network connection to ldap1 is down after link between saslauthd and ldap1 is established, it takes about 15 minutes for saslauthd to detect the network down and start connecting to ldap2 -- it responds to all the authentication requests with user unknown in the meanwhile. Version-Release number of selected component (if applicable): cyrus-sasl-2.1.22-4 in RHEL5.2 How reproducible: Always Steps to Reproduce: 1. set up two ldap servers, say ldap1 and ldap2 ldap1 ldap2 auth | | | ============================== 2. configure saslauthd on another server as follows: ldap_servers: ldap://ldap1 ldap://ldap2 ldap_filter: uid=%u ldap_search_base: ou=people,dc=example,dc=com ldap_bind_dn: cn=binduser,dc=example,dc=com ldap_password: ****** 3. start saslauthd with "-a ldap" option 4. authenticate some requests 5. unplug ldap1 from the network 6. authenticate some more requests Actual results: Authentication attempts fails with user unknown error for more than 10 minutes. Expected results: saslauthd resumes authenticating requests after "ldap_timeout" seconds. Additional info: We've tracked down the problem to the version of OpenLDAP (2.3.27) that doesn't do setsockopt(SO_KEEPALIVE) nor does it honor LDAP_OPT_TIMEOUT option in ldap_result(). OpenLDAP 2.4 has fixed these problems, and the fix for SO_KEEPALIVE has been there since 2.3.28, just one revision ahead of the one in RHEL5, but we still need a little bit of help from saslauthd, i.e. ldap_set_option(LDAP_OPT_TIMEOUT). A patch proposal is attached.
Created attachment 326452 [details] patch proposal
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1330.html