Ldap searches don't seem to honour connect_timeout

Franks Andy (IT Technical Architecture Manager) Andy.Franks at sath.nhs.uk
Tue May 10 18:54:43 CEST 2016 

Hi all,
  FR 3.1.0 git#64aa7f9
  I've been doing some testing around HA and servers looking at multiple ldap sources. For the most part everything is fine and dandy, but when the ldap search can't be made (e.g. one of the round robin dns entries goes off line), the connection timeout doesn't seem to behave.
I've tried setting the connect_timeout ldap option, and also the NETWORK_TIMEOUT option in /etc/ldap/ldap.conf, but to no avail; connection timeouts take at least a minute or more. Using ldapsearch does seem to honour the latter perfectly. It's difficult to show the behaviour in a debug readout, since
Are there any known issues with FR or the ldap library version that would cause this? Am I missing something!?

Config:

rlm_ldap (ldap_sath): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap_sath): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap_sath): Initialising connection pool
   pool {
        start = 0
        min = 4
        max = 10
        spare = 3
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 20
        connect_timeout = 3.000000
        retry_delay = 1
        spread = no

FR output:

Tue May 10 17:46:39 2016 : Info: rlm_ldap (ldap_sath): Opening additional connection (2), 1 of 10 pending slots used
Tue May 10 17:46:39 2016 : Debug: rlm_ldap (ldap_sath): Connecting to ldaps://sath.nhs.uk:636
Tue May 10 17:46:39 2016 : Debug: rlm_ldap (ldap_sath): New libldap handle 0x2a2ea10
Tue May 10 17:48:46 2016 : Debug: rlm_ldap (ldap_sath): Waiting for bind result...
Tue May 10 17:48:46 2016 : Debug: rlm_ldap (ldap_sath): Bind successful
Tue May 10 17:48:46 2016 : Debug: rlm_ldap (ldap_sath): Reserved connection (2)
Tue May 10 17:48:46 2016 : Debug: (3)             Performing search in "dc=SATH,dc=nhs,dc=uk" with filter "sAMAccountName=989096b80618", scope "sub"
Tue May 10 17:48:46 2016 : Debug: (3)             Waiting for search result...
Tue May 10 17:48:46 2016 : Debug: rlm_ldap (ldap_sath): Released connection (2)
Tue May 10 17:48:46 2016 : Info: rlm_ldap (ldap_sath): Need 3 more connections to reach 3 spares
Tue May 10 17:48:46 2016 : Info: rlm_ldap (ldap_sath): Opening additional connection (3), 1 of 9 pending slots used
Tue May 10 17:48:46 2016 : Debug: rlm_ldap (ldap_sath): Connecting to ldaps://sath.nhs.uk:636
Tue May 10 17:48:46 2016 : Debug: rlm_ldap (ldap_sath): New libldap handle 0x2aa2d00

Ldapsearch (it's set to 6 seconds here, but 3 in FR, I was seeing which took precendence. Not setting the ldap.conf, i.e. commenting out gives same result btw).

time ldapsearch -x -H ldaps://10.128.176.1 -D "ldapquery" -b "OU=Phones,OU=MAC Addresses,OU=Trust owned,OU=Wired 802.1x MAC,OU=SATHNetwork,DC=SATH,DC=nhs,DC=uk" -s sub "(cn=*)" cn mail sn dn -w <hidden>
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

real    0m6.009s
user    0m0.000s
sys     0m0.000s

Thanks
Andy

More information about the Freeradius-Users mailing list