On 6.11.2012, at 11.38, Bernhard Schmidt wrote: > I've been asked to have a look at a misbehaving mail server of some > colleagues today where almost all logins where failing or excessively > delayed, while the LDAP database itself was pretty fast. > > They run Dovecot 1.2.11 (yes, I know, stoneage) against an LDAP server > run by a 3rd party, auth_bind=yes (required). The problem is that this > third party LDAP server delays bindResponse 3 seconds when the password > is wrong. A user wanted to login every 2-3 seconds this morning with the > wrong password, which effectively killed the system because the LDAP > connection was mostly stalled waiting for the auth timeout. > > From a previous discussion with Timo I know that bindRequests cannot be > parallelized in LDAP, so the problem does not come completely > unexpected. Other than removing the failure delay in the LDAP server, is > there anything one can do? If there is any change in newer Dovecot > versions about that please tell me so I can encourage them to upgrade, > but I haven't seen anything in the changelog. > > Any way to get several LDAP workers/connections for passdb in parallel?
Multiple LDAP connections is in TODO. The only alternative right is to use e.g. checkpassword backend that does the ldap lookup in a script.
