Hi all, I'm running dovecot-1.0.rc17 on OpenBSD 3.9, using userdb and passdb methods of "ldap" (SSL on 636/tcp) in addition to "passwd". Occasionally (generally after a few hours of operation, but not always), LDAP-based logins stop working (e.g. hang/timeout after POP3 PASS command). Accounts with local passwords (as opposed to accounts with a password field of "x") still work fine at this point. 'tcpdump' shows the persisient 636/tcp connection still with bidirectional traffic (PUSH/ACKs and ACKs like normal). After restarting Dovecot, things are fine until next time. I guess I could try and get login_ldap working with bsdauth, but if there's an issue in the Dovecot LDAP support I'd like to see it fixed. Any ideas? Thanks, Adrian Close P.S. I note the LDAP timeout logging patch but it won't apply easily to rc17 and I'm hoping the issue has progressed since then anyway...
<quote who="Adrian Close">> Hi all, > > I'm running dovecot-1.0.rc17 on OpenBSD 3.9, using userdb and passdb > methods of "ldap" (SSL on 636/tcp) in addition to "passwd". > > Occasionally (generally after a few hours of operation, but not always), > LDAP-based logins stop working (e.g. hang/timeout after POP3 PASS > command). Accounts with local passwords (as opposed to accounts with a > password field of "x") still work fine at this point.We also get this. Twice a day we have to restart dovecot, using userdb and passdb via LDAP, with userdb_prefetch. Also, if you shutdown dovecot and try and restart OpenLDAP, the dovecot ldap bind/thread is still open and OpenLDAP sits there waiting for it. I've discussed this with the OpenLDAP dev team, and they suggested attaching gdb to the slapd pid and seeing what's going on. Any ideas from the dovecot side?> > 'tcpdump' shows the persisient 636/tcp connection still with bidirectional > traffic (PUSH/ACKs and ACKs like normal). > > After restarting Dovecot, things are fine until next time.Likewise.> > I guess I could try and get login_ldap working with bsdauth, but if > there's an issue in the Dovecot LDAP support I'd like to see it fixed.I agree. We are the only ones using dovecot this way, all our other clients use nssldap and pamldap, and there are no probs with dovecot that way.> P.S. I note the LDAP timeout logging patch but it won't apply easily to > rc17 and I'm hoping the issue has progressed since then anyway...Oh, never tried that. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry at suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/
> > Date: Wed, 10 Jan 2007 16:07:03 +0100 > From: "J.M. Maurer" <mmaurer at betterbe.com> > Subject: Re: [Dovecot] LDAP authentication stops working... > To: dovecot at dovecot.org > Message-ID: <1168441623.11613.3.camel at sigma.lan.uwog.net> > Content-Type: text/plain > > On Tue, 2007-01-09 at 09:54 +0000, Gavin Henry wrote: > >> > <quote who="Adrian Close"> >> >>> > > Hi all, >>> > > >>> > > I'm running dovecot-1.0.rc17 on OpenBSD 3.9, using userdb and passdb >>> > > methods of "ldap" (SSL on 636/tcp) in addition to "passwd". >>> > > >>> > > Occasionally (generally after a few hours of operation, but not always), >>> > > LDAP-based logins stop working (e.g. hang/timeout after POP3 PASS >>> > > command). Accounts with local passwords (as opposed to accounts with a >>> > > password field of "x") still work fine at this point. >>> >> > >> > We also get this. Twice a day we have to restart dovecot, using userdb and >> > passdb via LDAP, with userdb_prefetch. >> > > Just to add: we moved from rc<something before 5> to rc15 recently, and > we now also see a lot of hangs with > > The result handler for the initial ldap_search to find the dn to bind to > is never called. I assume Timo fscked something up recently in my > auth_bind code ;-P > > Anyway, restarting ldap every hour or so with cron does the job :-| > > I'd debug this if I had the time, but I won't have before next week. > > Cheers, > Marc > > > > ---I haven't documented it properly (yet) but when using rc15 with userdb_prefetch + passdb + ldap_authbind (200-500 concurrent clients) directly with LDAP it operates OK only for a few minutes. After a while authentication freezes. On the LDAP server (openldap v2.2.28) I see countless log entries such as: " slapd[24721]: connection_input: conn=1134942 deferring operation: binding". Dovecot show I tried to increase various dovecot and openldap limits without success. Until the problem is solved, I use Dovecot with getpwnam (/etc/passwd) + pamldap which works always OK. Could anybody please verify that direct LDAP userdb_prefetch, passdb, auth_bind work ok with openldap under heavy stress? Is it possible that multiple concurrent LDAP bind requests and searches under different LDAP credentials through the very same TCP connection produce some kind of spourious problem? Apostolis Papagiannakis Aristotle University of Thessaloniki, Greece -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5876 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20070111/99b38c10/attachment-0002.bin>
On Tue, 2007-01-09 at 13:59 +1100, Adrian Close wrote:> Occasionally (generally after a few hours of operation, but not always), > LDAP-based logins stop working (e.g. hang/timeout after POP3 PASS > command). Accounts with local passwords (as opposed to accounts with a > password field of "x") still work fine at this point.Are you using auth_bind=yes? That's been a bit broken. I finally today did several fixes to it so that it won't hang at least with my stress tests. The code is now in CVS and I built a new nightly snapshot if you want to try before rc18 release. Looks like ldap_bind() can't really be used while anything else is going on. Now the code waits until all the existing LDAP searches are finished, then it does the bind, and then nothing is done until the bind is finished. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070119/727e2808/attachment.bin>