LDAP timeouts during failure conditions
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jun 23 15:11:35 CEST 2011
So, some discussion on the JANET-ROAMING list leads me to believe that,
during an "ldap server down" condition, rlm_ldap will incur
"net_timeout" on every (or many) passes through the module.
I don't really understand the MAX_FAILED_* logic at the start of
perform_search, but it seems to conflict with the comments at the top of
the file:
* If conn->failed_conns > MAX_FAILED_CONNS_START then we don't
* try to do anything and we just do conn->failed_conns++ and
* return RLM_MODULE_FAIL
...perform_search has no such logic; in any event, it seems like it
would be better to do an optional time-based per-server "fast fail" so that:
redundant {
ldap1
ldap2
}
...fails quickly if ldap1 is down.
In some ways it's a shame we can't use a worker thread to manage the
LDAP connection(s); that way, the module could be marked "fast fail"
unless and until a live connection exists. Is there any scope for that?
Cheers,
Phil
More information about the Freeradius-Devel
mailing list