We will try this as next step to find a workaround, the problem with client idletimeout=5 mins in openldap server is that is a global server definition and have the net effect of changing replication refreshAndPersit into type refreshOnly which is not a welcome side effect, we will look other options, still the better candidate is ldap_idle_disconnect in dovecot side or any other kind of logic able to detect this kind of problems. best regards
2011/11/7 Timo Sirainen <t...@iki.fi> > If you set openldap server to close idle clients sooner than the > connection itself is dropped by firewall (or whatever), then Dovecot > sees the disconnection and won't hang. So you could try something like > clientidletimeout=5 mins > > On Mon, 2011-11-07 at 18:02 -0500, Aliet Santiesteban Sifontes wrote: > > We checked with the firewall admins and they can not change the drop > > action, this model doesn't support reject, only drops, but for testing > > they disabled the ldap protocol idle timeout wich was set to 30 mins > > to never so the firewall never drops ldap idle connections, we also > > verified the clientidletimeout option in Openldap but is set to 0 wich > > means never close a idle connection. After testing again we see the > > connection hanging again after user inactivity, we will keep looking > > for other issues and maybe do some packet captures to see what is > > really happening. > > best regards, btw it would be great this ldap_idle_disconnect = 30s > > > > 2011/11/4 Timo Sirainen <t...@iki.fi> > > > > On Thu, 2011-11-03 at 11:52 -0400, Aliet Santiesteban Sifontes > > wrote: > > > I'm having a problem with dovecot ldap connection when ldap > > server is in > > > another firewall zone, firewall kills the ldap connection > > after a > > > determined period of inactivity, this is good from the > > firewall point of > > > view but is bad for dovecot because it never knows the > > connections has been > > > dropped, this creates longs timeouts in dovecot and finally > > it reconnects, > > > meanwhile many users fails to authenticate, I have seen this > > kind of post > > > in the list for a while but can't find a solution for it, so > > my question is > > > how to define a idle ldap time in dovecot so it can > > reconnect before the > > > firewall has dropped the connection or just close the > > connection under > > > inactivity so when a user authenticate doesn't fails for a > > while until > > > dovecot detects that the connection has hanged. Is this a > > feature request > > > or there is already a configuration for this??? > > > > > > Can't the firewall be changed to reject the LDAP packets > > instead of > > dropping them? Then Dovecot would immediately notice that the > > connection > > has died, and with a recent enough version it wouldn't even > > log an error > > about it. > > > > I guess some kind of an "ldap_idle_disconnect = 30s" setting > > could be > > added, but it's not a very high priority for me. > > > > > > > > >
