Fixing LDAP Timeout Issues
Posted by Tres Fri, 21 Jul 2006 07:05:00 GMT
If you’re using nssldap and pamldap in FreeBSD, chances are, you’ve run into the dreaded LDAP stall. If you’ve never run into it, it usually goes something like this: everything comes to a stop while the host attempts to reach the LDAP server. Nothing seems to work–you can’t log in remotely, you can’t even log in locally. And even when you get logged in, things like top just sit and wait for five minutes before it actually runs.
The man pages don’t really help, and even Google proved to be frustratingly unhelpful regarding this one. For FreeBSD issues surrounding LDAP timeouts, Google seems invariably to point toward the useless TIMELIMIT directive. This is good for limiting how long your host will wait for a response from the LDAP server once it’s made a connection, but is absolutely useless for defining how long the host will wait before timing out.
To get FreeBSD to play nicely when the LDAP servers aren’t reachable, just add the following to your ldap.conf:
bind_policy soft
This seemingly undocumented directive is the ldap client’s reconnect policy. If it is set to hard it will attempt to reconnect with exponential backoff. If it is set to soft, the reconnect policy is to fail immediately.