LDAP timeouts during failure conditions

Phil Mayers p.mayers at imperial.ac.uk
Thu Jun 23 15:11:35 CEST 2011

So, some discussion on the JANET-ROAMING list leads me to believe that, 
during an "ldap server down" condition, rlm_ldap will incur 
"net_timeout" on every (or many) passes through the module.

I don't really understand the MAX_FAILED_* logic at the start of 
perform_search, but it seems to conflict with the comments at the top of 
the file:

  * If conn->failed_conns > MAX_FAILED_CONNS_START then we don't
  * try to do anything and we just do conn->failed_conns++ and
  * return RLM_MODULE_FAIL

...perform_search has no such logic; in any event, it seems like it 
would be better to do an optional time-based per-server "fast fail" so that:

redundant {

...fails quickly if ldap1 is down.

In some ways it's a shame we can't use a worker thread to manage the 
LDAP connection(s); that way, the module could be marked "fast fail" 
unless and until a live connection exists. Is there any scope for that?


More information about the Freeradius-Devel mailing list