Bug 475726 - saslauthd: very slow network failure detection
saslauthd: very slow network failure detection
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Tomas Mraz
Depends On:
  Show dependency treegraph
Reported: 2008-12-10 00:54 EST by Kazuo Ito
Modified: 2009-09-02 06:12 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-02 06:12:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch proposal (1.00 KB, patch)
2008-12-10 00:58 EST, Kazuo Ito
no flags Details | Diff

  None (edit)
Description Kazuo Ito 2008-12-10 00:54:40 EST
Description of problem:

When saslauthd is configured to have two ldap servers, say ldap1
and ldap2, and network connection to ldap1 is down after link
between saslauthd and ldap1 is established, it takes about 15 minutes
for saslauthd to detect the network down and start connecting to ldap2 --
it responds to all the authentication requests with user unknown
in the meanwhile.

Version-Release number of selected component (if applicable):

cyrus-sasl-2.1.22-4 in RHEL5.2

How reproducible:


Steps to Reproduce:
1. set up two ldap servers, say ldap1 and ldap2
   ldap1       ldap2       auth
     |           |          |
2. configure saslauthd on another server as follows:
ldap_servers: ldap://ldap1 ldap://ldap2
ldap_filter: uid=%u
ldap_search_base: ou=people,dc=example,dc=com
ldap_bind_dn: cn=binduser,dc=example,dc=com
ldap_password: ******
3. start saslauthd with "-a ldap" option
4. authenticate some requests
5. unplug ldap1 from the network
6. authenticate some more requests

Actual results:

Authentication attempts fails with user unknown error
for more than 10 minutes.

Expected results:

saslauthd resumes authenticating requests after
"ldap_timeout" seconds.

Additional info:

We've tracked down the problem to the version of OpenLDAP (2.3.27)
that doesn't do setsockopt(SO_KEEPALIVE) nor does it honor
LDAP_OPT_TIMEOUT option in ldap_result().

OpenLDAP 2.4 has fixed these problems, and the fix for SO_KEEPALIVE has
been there since 2.3.28, just one revision ahead of the one in RHEL5,
but we still need a little bit of help from saslauthd,
i.e. ldap_set_option(LDAP_OPT_TIMEOUT).  A patch proposal is attached.
Comment 1 Kazuo Ito 2008-12-10 00:58:24 EST
Created attachment 326452 [details]
patch proposal
Comment 6 errata-xmlrpc 2009-09-02 06:12:57 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.