Hello Sam
Thanks for response.
I just did some debug with following results:
- "deferring operation" on openldap server is not related to this issue
- once I do ldap server restart, many of existing LDAP connections seems
not being reestablished and I get following error in authlib:
May 24 01:16:28 mail authdaemond: ldap_search_ext_s failed: Can't
contact LDAP server
- I tried to disable TLS in order to check if situation will be
improved. but without any improvement (completely same behaviour)
- I tried to set LDAP PROTO VERSION to 2 instead of 3, but I get
different error:
May 24 01:19:34 mail authdaemond: ldap_sasl_bind_s failed: Protocol error
based on packet capture the behavior is following:
- once I do LDAP server restart, then ldap server sends FIN/ACK to all
ongoing authlib connections
- LDAP server receives back just ACK for all that connections, but
nothing else (no FIN/ACK from authlib side for valid connection closure)
- and authlib is trying to do the LDAP search over that EXISTING
connection, which results, that LDAP respond with RST and seems that
this results to that authlib log message: ldap_search_ext_s failed:
Can't contact LDAP server
simply said, the authdaemon is not correctly handling case where remote
server sends FIN/ACK for that ongoing connections and tries to keep
using them.
once the authlib receives RST, then it reestablish new connection. but
in case there are many authlib daemons in place, then it takes really
long time to get all that connections reestablished as all of them are
used for many auth requests coming either from imap or maildrop.
so maybe yes, at the end (after XYZ minutes) all daemons will get
connections reestablished, but meanwhile majority of users will be
unable to use this service.
example capture screenshot:
https://cloud.zssos.sk/index.php/s/vyjJT0LzFWClIh4
regards
michal
Dňa 24.5.2018 o 1:12 Sam Varshavchik napísal(a):
Michal Bruncko writes:
issue start if openldap server will be unavailable for some short
period of time (for example LDAP service restart, LDAP system reboot,
whatever network issue...). once the openldap server is back
available, the majority of LDAP connections between authlib and LDAP
server are stucked with following error on openldap server side:
May 23 14:25:39 auth1 slapd[1328]: connection_input: conn=1015
deferring operation: pending operations
Anything logged by courier-authldap as well?
If you do not use TLS for connecting to the LDAP server, try setting
LDAP_PROTOCOL_VERSION=2 in authldaprc.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
Courier-imap mailing list
[email protected]
Unsubscribe:https://lists.sourceforge.net/lists/listinfo/courier-imap
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Courier-imap mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
