Bug 4544 - LDAP redundancy does not work
LDAP redundancy does not work
Status: RESOLVED FIXED
Product: Samba 3.2
Classification: Unclassified
Component: Build environment
3.2.0
x86 Linux
: P3 major
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-25 03:02 UTC by Alain GORLIER
Modified: 2008-06-05 03:45 UTC (History)
1 user (show)

See Also:


Attachments
ethereal traces with LDAP timeout = 15 (6.63 KB, application/octet-stream)
2007-04-25 11:21 UTC, Alain GORLIER
no flags Details
patch adding ldap connection timeout feature (3.29 KB, patch)
2008-05-22 10:46 UTC, Björn Jacke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alain GORLIER 2007-04-25 03:02:34 UTC
Hi, 
Redhat 4, Samba server 3.0.22.

We are testing LDAP redundancy. We have 2 LDAP servers.

If we stop LDAP services on the first LDAP server, everything works fine : 
the samba server detects the failed ldap server and switch to the 
available LDAP server.
Clients can be authenticated, everything works fine.

But, if the first LDAP server is unavailable (does not respond to ping), 
the samba server does not switch to the second LDAP server :

[2007/04/20 09:36:46, 0] lib/smbldap.c:smbldap_search_suffix(1346)
  smbldap_search_suffix: Problem during the LDAP search:  (Time limit 
exceeded)
[2007/04/20 09:36:46, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [adminocs] -> [adminocs] 
FAILED with error NT_STATUS_NO_SUCH_USER
[2007/04/20 09:36:46, 2] smbd/server.c:exit_server(614)
  Closing connections

We have tried using smaller and greater values of ldap timeout in smb.conf 
but it does not help. ( from 5 to 600)
We have tried using smaller and greater values in the /etc/ldap.conf for 
bind_timelimit and timelimit (30 by default, from 5 to 300), but it does 
not help.

Here is our smb.conf related to ldap :

        passdb backend = ldapsam:"ldap://itdsd1l1.altissemiconductor.com 
ldap://itdsd2l2.altissemiconductor.com"
        ldap passwd sync = Yes
        ldap admin dn = 
cn=samba,ou=DSA,ou=manuf,o=altissemiconductor.com,cn=mfg
        ldap suffix = ou=manuf,o=altissemiconductor.com,cn=mfg
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap timeout = 15
        ldap ssl = start_tls

Is there a way to change the bind/connect/network timeout for samba server to switch to the available ldap server node before the "search time limit exceeded" ?
Do I miss something ?
Comment 1 Alain GORLIER 2007-04-25 11:21:11 UTC
Created attachment 2412 [details]
ethereal traces with LDAP timeout = 15

test : using smblcient from the samba server
10.240.47.35 : Samba server
10.112.8.130 : Master LDAP server (stopped: does not respond to ping)
10.240.65.238 : Slave secondary LDAP server
Comment 2 Alain GORLIER 2007-04-26 11:18:53 UTC
Taking some ethereal traces, we see that there are multiple network TCP retries before TCP timeout is reached.
As TCP timeout is much more longer than ldap timeout (default : 15 seconds), the samba server says : time limit exceeded.
If we increase the ldap timeout (from 15 to 300), then the TCP timeout (about 3 minutes) is reached and the connection to the slave ldap server seems to be done, but too late : smb clients timeouts are smaller..... and 3 minutes is too much.

Is there a way to setup ldap client librairies to use smaller "network timeout" ?
(we have used timelimit and bind_timelimit with no success for Samba server).
Comment 3 Björn Jacke 2008-05-14 02:26:29 UTC
yes, the timeouts do not work very well together. This problem is also handled by the latest patch from bug #3504.
Comment 4 Volker Lendecke 2008-05-14 04:52:31 UTC
Björn, any updates on the discussion we had regarding defaults? Do you have a new patch available?

Volker
Comment 5 Björn Jacke 2008-05-22 10:46:57 UTC
Created attachment 3304 [details]
patch adding ldap connection timeout feature

as requested on samba-techincal this is the extracted piece that just adds the ldap connection timeout without anything else.

The "ldap connection timeout" is actualy a feature that was not covered by the "ldap timeout" parameter before. For that reason the default of the new "ldap connection timeout" is unrelated to the old "ldap timeout".
Comment 6 Karolin Seeger 2008-06-05 03:45:22 UTC
Patch is now in v3-3-test, v3-2-test and v3-2-stable (4307701b6ca3ac953 and 539210ea8e023afe7189).
Will be included in 3.2.0rc2 and higher.

Closing out bug report. Please reopen if it is still an issue.