search

TremoloSecurity / MyVirtualDirectory

Open Source LDAP Virtual Directory
Apache License 2.0
45 stars 18 forks source link

Searches Hang When Proxied LDAP is Down #57

Open cteachworth opened 5 years ago

cteachworth commented 5 years ago

Hello,

I'm testing several LDAP directories proxied with LDAP interceptors. They're all exposed under a common root DSE. This works fantastically well unless one of the LDAP directories is down. If one is down it takes a long time for myvd start as it hangs on trying to contact the down LDAP server(s). Having one of the servers down also causes searches with a base of dc=test,dc=lan to hang and eventually timeout.

I tried adjusting server.listener.maxTimeLimit and LDAPIntercept's maxMillis parameters but neither seemed to have any effect. Is there a way to get myvd to skip over the servers it can't connect to and continue to search the others?

Here's some relevant snippets from my configuration:

server.Root.chain=RootDSE server.Root.RootDSE.config.namingContexts=dc=test,dc=lan ...

server.a.chain=ldap server.a.nameSpace=ou=a,dc=test,dc=lan server.a.ldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor server.a.ldap.config.host=a server.a.ldap.config.port=389 server.a.ldap.config.remoteBase=dc=a,dc=lan server.a.ldap.config.type=ldap server.a.ldap.config.ignoreRefs=true server.a.ldap.config.passBindOnly=true ...

server.b.chain=ldap server.b.nameSpace=ou=b,dc=test,dc=lan server.b.ldap.className=net.sourceforge.myvd.inserts.ldap.LDAPInterceptor server.b.ldap.config.host=b server.b.ldap.config.port=389 server.b.ldap.config.remoteBase=dc=b,dc=lan server.b.ldap.config.type=ldap server.b.ldap.config.ignoreRefs=true server.b.ldap.config.passBindOnly=true ...

mlbiam commented 5 years ago

Is there a way to get myvd to skip over the servers it can't connect to and continue to search the others?

Yes, there are two options:

  1. Use the Required For Search insert. This will keep a failed search on a chain from stopping the search. This works well with "blackouts"

  2. "Brownouts", where the network connection hangs, is harder. The best approach for this is to use a directory routing insert to synamically route requests to specific chains as opposed to sending requests to every chain. If there's an attribute you can route search requests on, such as a domain or email this works well.

cteachworth commented 5 years ago

Implementing "required for search" and "route by attribute value" seems to work well. myvd still hangs on startup for 60 seconds on each ldap server that isn't reachable via IP and for the same amount of time if you perform a query that routes to an unreachable server. In perfect world I could figure out how to get that timeout lower but this is definitely workable. Thanks for your help and a great piece of software!

mlbiam commented 5 years ago

Fantastic! you're right, that should not hang you up. I've marked this as a bug so we know to get this working so that you don't run into this issue on startup.

antoine-gambino commented 5 years ago

hello i have the same probleme with two active directory. when one is down myvd stop responding with a conection error.

i have implement "Required For Search insert" but i dont understand how to do the "route by attribute value"

thank for the reply.