Bug 4544 - LDAP redundancy does not work
Summary: LDAP redundancy does not work
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Build environment (show other bugs)
Version: 3.2.0
Hardware: x86 Linux
: P3 major
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2007-04-25 03:02 UTC by Alain GORLIER
Modified: 2008-06-05 03:45 UTC (History)
1 user (show)

See Also:

ethereal traces with LDAP timeout = 15 (6.63 KB, application/octet-stream)
2007-04-25 11:21 UTC, Alain GORLIER
no flags Details
patch adding ldap connection timeout feature (3.29 KB, patch)
2008-05-22 10:46 UTC, Björn Jacke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alain GORLIER 2007-04-25 03:02:34 UTC
Redhat 4, Samba server 3.0.22.

We are testing LDAP redundancy. We have 2 LDAP servers.

If we stop LDAP services on the first LDAP server, everything works fine : 
the samba server detects the failed ldap server and switch to the 
available LDAP server.
Clients can be authenticated, everything works fine.

But, if the first LDAP server is unavailable (does not respond to ping), 
the samba server does not switch to the second LDAP server :

[2007/04/20 09:36:46, 0] lib/smbldap.c:smbldap_search_suffix(1346)
  smbldap_search_suffix: Problem during the LDAP search:  (Time limit 
[2007/04/20 09:36:46, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [adminocs] -> [adminocs] 
[2007/04/20 09:36:46, 2] smbd/server.c:exit_server(614)
  Closing connections

We have tried using smaller and greater values of ldap timeout in smb.conf 
but it does not help. ( from 5 to 600)
We have tried using smaller and greater values in the /etc/ldap.conf for 
bind_timelimit and timelimit (30 by default, from 5 to 300), but it does 
not help.

Here is our smb.conf related to ldap :

        passdb backend = ldapsam:"ldap://itdsd1l1.altissemiconductor.com 
        ldap passwd sync = Yes
        ldap admin dn = 
        ldap suffix = ou=manuf,o=altissemiconductor.com,cn=mfg
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap timeout = 15
        ldap ssl = start_tls

Is there a way to change the bind/connect/network timeout for samba server to switch to the available ldap server node before the "search time limit exceeded" ?
Do I miss something ?
Comment 1 Alain GORLIER 2007-04-25 11:21:11 UTC
Created attachment 2412 [details]
ethereal traces with LDAP timeout = 15

test : using smblcient from the samba server : Samba server : Master LDAP server (stopped: does not respond to ping) : Slave secondary LDAP server
Comment 2 Alain GORLIER 2007-04-26 11:18:53 UTC
Taking some ethereal traces, we see that there are multiple network TCP retries before TCP timeout is reached.
As TCP timeout is much more longer than ldap timeout (default : 15 seconds), the samba server says : time limit exceeded.
If we increase the ldap timeout (from 15 to 300), then the TCP timeout (about 3 minutes) is reached and the connection to the slave ldap server seems to be done, but too late : smb clients timeouts are smaller..... and 3 minutes is too much.

Is there a way to setup ldap client librairies to use smaller "network timeout" ?
(we have used timelimit and bind_timelimit with no success for Samba server).
Comment 3 Björn Jacke 2008-05-14 02:26:29 UTC
yes, the timeouts do not work very well together. This problem is also handled by the latest patch from bug #3504.
Comment 4 Volker Lendecke 2008-05-14 04:52:31 UTC
Björn, any updates on the discussion we had regarding defaults? Do you have a new patch available?

Comment 5 Björn Jacke 2008-05-22 10:46:57 UTC
Created attachment 3304 [details]
patch adding ldap connection timeout feature

as requested on samba-techincal this is the extracted piece that just adds the ldap connection timeout without anything else.

The "ldap connection timeout" is actualy a feature that was not covered by the "ldap timeout" parameter before. For that reason the default of the new "ldap connection timeout" is unrelated to the old "ldap timeout".
Comment 6 Karolin Seeger 2008-06-05 03:45:22 UTC
Patch is now in v3-3-test, v3-2-test and v3-2-stable (4307701b6ca3ac953 and 539210ea8e023afe7189).
Will be included in 3.2.0rc2 and higher.

Closing out bug report. Please reopen if it is still an issue.