48515 – LDAPConnectionTimeout Directive not working properly

Bug 48515 - LDAPConnectionTimeout Directive not working properly

Summary: LDAPConnectionTimeout Directive not working properly

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_authn_ldap (show other bugs)
Version:	2.2.13
Hardware:	All Linux

Importance:	P2 critical (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-01-09 09:45 UTC by Muzi
Modified:	2010-02-04 14:10 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Muzi 2010-01-09 09:45:36 UTC

LDAPConnectionTimeout Directive not working in case, if primary ldap goes down or unreachable or network time out from isp, then it not forward authentication request or switch to secondary ldap.

I can try to use this directive but it not working

LDAPConnectionTimeout 4

AuthLDAPURL "ldap://ldap1.mydomain.com dap2.mydomain.com/dc=mydomain,dc=com?uid??"

As above i defined two ldap hosts, ldap1 is primary and ldap2 is secondary so as per this directive if ldap1 is down or unreachable then it should switch to ldap2 after desire define seconds like above i define 4 seconds.

Kindly test it and suggest its bug or require some additional parameter.

Thanks

Comment 1 Eric Covener 2010-01-09 09:53:13 UTC


*** This bug has been marked as a duplicate of bug 48505 ***

Comment 2 Muzi 2010-01-09 10:34:35 UTC

(In reply to comment #1)
> 
> *** This bug has been marked as a duplicate of bug 48505 ***

How it resolved :( , with out any info, its dishearted me, either i waste my time ? , if its working then please give a proof, or guide me where i wrong. Its not good, you just changed the status, i am now reopened it again and assume, to discuss in professional way.

Thanks

Comment 3 Muzi 2010-01-09 11:27:35 UTC

i can found this on apache docs url

http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#ldapcacheentries

LDAPConnectionTimeout is only available when the LDAP client library linked with the server supports the LDAP_OPT_NETWORK_TIMEOUT option, and the ultimate behavior is dictated entirely by the LDAP client library.

So i have a now doubt on it, but i install all of ldap packages on apache server with rpm

python-ldap-2.3.6-1.fc11.i586
apr-util-ldap-1.3.9-1.fc11.i586
nss_ldap-264-2.fc11.i586
openldap-2.4.15-6.fc11.i586
openldap-clients-2.4.15-6.fc11.i586
php-ldap-5.2.11-2.fc11.i586
mod_authz_ldap-0.26-12.i586
openldap-devel-2.4.15-6.fc11.i586

can you please suggest how i can verify LDAP_OPT_NETWORK_TIMEOUT option ?

Thanks

Comment 4 Eric Covener 2010-01-09 11:30:29 UTC

Don't create duplicate bugs for the same issue and put information in both.

*** This bug has been marked as a duplicate of bug 48505 ***

Comment 5 Muzi 2010-01-09 11:35:56 UTC

(In reply to comment #4)
> Don't create duplicate bugs for the same issue and put information in both.
> 
> *** This bug has been marked as a duplicate of bug 48505 ***

Ok, but please reply me and help if its not a bug. I assume some comments on it.

Comment 6 Muzi 2010-01-09 12:24:29 UTC

(In reply to comment #5)
> (In reply to comment #4)
> > Don't create duplicate bugs for the same issue and put information in both.
> > 
> > *** This bug has been marked as a duplicate of bug 48505 ***
> 
> Ok, but please reply me and help if its not a bug. I assume some comments on
> it.

Closing. it

Open it mistakely i am now in touch with Mr Eric on users mailing list.

Thanks for guidance.

Comment 7 Stefan Fritsch 2010-01-09 12:40:23 UTC

I think the problem is that LDAPConnectionTimeout really affects only the timeout for creating the tcp connection. If an existing connection to a failed LDAP server is reused, LDAPConnectionTimeout has no influence whatsoever (at least with openldap).

What would be needed is a way to set the LDAP op timeout. I think I have some partially working patch for this somewhere. I will see if I can get it into shape.

Comment 8 Muzi 2010-01-09 12:55:31 UTC

(In reply to comment #7)
> I think the problem is that LDAPConnectionTimeout really affects only the
> timeout for creating the tcp connection. If an existing connection to a failed
> LDAP server is reused, LDAPConnectionTimeout has no influence whatsoever (at
> least with openldap).
> 
> What would be needed is a way to set the LDAP op timeout. I think I have some
> partially working patch for this somewhere. I will see if I can get it into
> shape.

Right, can u please guide me how can i make effective with apache or its a bug that LDAPConnectionTimeout directive not working properly ?. I have only this problem that if ldap1 down or unreachable apache still trying to connect with ldap1 not forward the request to ldap2.

Comment 9 Eric Covener 2010-01-09 13:27:59 UTC

Muzi, do you only have this problem when you let apache establish connections to server1 before simulating it going down?

Comment 10 Muzi 2010-01-09 13:33:48 UTC

(In reply to comment #9)
> Muzi, do you only have this problem when you let apache establish connections
> to server1 before simulating it going down?

No, let me explain 

I have two ldap servers, like ldap1 (master) and ldap2 (slave), i want if ldap1 is down/unreachable, then apache use ldap2 for authentication, 

currently failover works only if ldap1 is up and pinging but ldap service is not running on it, then it immediately forward request to ldap2, but it not works if ldap1 is down/unreachable/network timeout from isp, then apache still trying to connect with ldap1 and not forward requests to ldap2. 

So as per docs i use the ldapconnectiontimeout directive which also not helpful, so please suggest.

Thanks

Comment 11 Muzi 2010-01-11 10:29:07 UTC

(In reply to comment #7)
> I think the problem is that LDAPConnectionTimeout really affects only the
> timeout for creating the tcp connection. If an existing connection to a failed
> LDAP server is reused, LDAPConnectionTimeout has no influence whatsoever (at
> least with openldap).
> 
> What would be needed is a way to set the LDAP op timeout. I think I have some
> partially working patch for this somewhere. I will see if I can get it into
> shape.

Hi Stephin

Can you please tell me more, how i can enable LDAP op timeout, as you above mentioned, as i think openldap client library already compile with it, i am using standard fc11 rpm, or you will currently work on it that apache will support this after you will fix ?. I appreciate your and Mr Eric support. 

Thanks

Comment 12 Muzi 2010-01-11 11:50:48 UTC

I got the issue and i resolved it successfully :)

Need to define only NETWORK_TIMEOUT option in ldap client so it redirects automatically request to ldap2 if ldap1 is down.

Muzi

Comment 13 Stefan Fritsch 2010-01-11 14:49:55 UTC

The timeout I meant would correspond to the TIMEOUT option in ldap.conf (for OpenLDAP). There is currently no way to set it in Apache.

(In reply to comment #12)
> I got the issue and i resolved it successfully :)
> 
> Need to define only NETWORK_TIMEOUT option in ldap client so it redirects
> automatically request to ldap2 if ldap1 is down.

Out of interest: Which value for NETWORK_TIMEOUT worked for you?

Comment 14 Muzi 2010-02-04 14:10:09 UTC

(In reply to comment #13)
> The timeout I meant would correspond to the TIMEOUT option in ldap.conf (for
> OpenLDAP). There is currently no way to set it in Apache.
> 
> (In reply to comment #12)
> > I got the issue and i resolved it successfully :)
> > 
> > Need to define only NETWORK_TIMEOUT option in ldap client so it redirects
> > automatically request to ldap2 if ldap1 is down.
> 
> Out of interest: Which value for NETWORK_TIMEOUT worked for you?

Apache works with ldap client libraries, its works 4 me. I use 4second delay.

NETWORK_TIMEOUT 4