zope hangs if ldap connection broken

[djay]

On Plone 4.1 I'm getting zope instances hanging indefinatly during certain network conditions (a ssh tunnel restarts intermittently for example). I think it could be related to which timeouts are specified e.g. http://stackoverflow.com/questions/6679910/python-ldap-simple-bind-s-timeout

[mauritsvanrees]

I can confirm this. The control panel has both a connection timeout and an operation timeout. I have set both, to 5 and 10 respectively, and defined and enabled an ldap server on localhost. This was an ssh tunnel that connected localhost port 389 (as root) with port 389 of a client ldap server. I loaded a page so the connection was created. Then I quit the ssh tunnel. After that, zope did not answer any requests that I tried and I had to restart the zope instance.

The problem is likely somewhere lower in the stack, maybe in Products.LDAPUserFolder. I had a quick look, but could not immediately discover what could be wrong.

[djay]

I looked at the code for LDAPUserFolder. OPT_NETWORK_TIMEOUT is set but OPT_TIMEOUT isn't.

I put a comment in here

https://bugs.launchpad.net/ldapuserfolder/+bug/650371

but I don't think it reopened that ticket.

On 02/07/2013, at 10:33 PM, Maurits van Rees notifications@github.com wrote:

I can confirm this. The control panel has both a connection timeout and an operation timeout. I have set both, to 5 and 10 respectively, and defined and enabled an ldap server on localhost. This was an ssh tunnel that connected localhost port 389 (as root) with port 389 of a client ldap server. I loaded a page so the connection was created. Then I quit the ssh tunnel. After that, zope did not answer any requests that I tried and I had to restart the zope instance.

The problem is likely somewhere lower in the stack, maybe in Products.LDAPUserFolder. I had a quick look, but could not immediately discover what could be wrong.

— Reply to this email directly or view it on GitHub.

[mauritsvanrees]

Ha, I was using python-ldap 2.4.10. Updating to 2.4.13 (released last week) solves it. Tested on Plone 4.2.4.

See the python-ldap changelog.

At first, I tried modifying the _connect method of LDAPDelegate.py to explicitly set OPT_TIMOUT, but it had no effect with the old python-ldap:

        # Set the operations timeout
        if op_timeout > 0:
            connection.timeout = op_timeout
            # The next line is new:
            connection.set_option(ldap.OPT_TIMEOUT, op_timeout)

With the newer python-ldap this made no difference either, at least not for this issue.

[djay]

nice

[mauritsvanrees]

Note my later comment in the LDAPUserFolder issue tracker though. python-ldap 2.4.13 seems to help a bit, but not enough.

[djay]

Went to pyconau on the weekend and saw a presentation about this https://pypi.python.org/pypi/interruptingcow. If we can't get python-ldap fixed in the near future, what do you think about using that to enforce the timeout?

[mauritsvanrees]

Can be an interesting option. There is not really any code in plone.app.ldap where that could be used though. That would be more at the level of LDAPUserFolder.

[jgiannuzzi]

Hi guys, I'm the one who wrote the patch that partially solved your problem in python-ldap 2.4.13. I have another patch that should hopefully solve completely your problem. Have a look at http://mail.python.org/pipermail/python-ldap/2013q3/003265.html.

[djay]

I was just testing your patch now. So far seems to work great. Thanks so much for that.