Re: LDAP authentication timing out

On Thu, Jun 20, 2013 at 7:24 AM, James Sewell <james(dot)sewell(at)lisasoft(dot)com>wrote:

> Hello All,
>
> I have the following config:
>
> host samerole +myrole samenet ldap
> ldapserver="ldap1,ldap2,ldap3" ldapbinddn="mybinddn"
> ldapbindpasswd="mypass" ldapbasedn="mybase" ldapsearchattribute="myatt"
>
> Usually auth works perfectly with LDAP (starting a session from psql using
> an LDAP connection, authenticating with the LDAP password then exiting
> straight away) I see this:
>
> 2013-06-20 15:19:53 EST DEBUG: edb-postgres child[15901]: starting with (
> 2013-06-20 15:19:53 EST DEBUG: forked new backend, pid=15901 socket=10
> 2013-06-20 15:19:53 EST DEBUG: edb-postgres
> 2013-06-20 15:19:53 EST DEBUG: dccn
> 2013-06-20 15:19:53 EST DEBUG: )
> 2013-06-20 15:19:53 EST DEBUG: InitPostgres
> 2013-06-20 15:19:53 EST DEBUG: my backend ID is 1
> 2013-06-20 15:19:53 EST DEBUG: StartTransaction
> 2013-06-20 15:19:53 EST DEBUG: name: unnamed; blockState: DEFAULT;
> state: INPROGR, xid/subid/cid: 0/1/0, nestlvl: 1, children:
> 2013-06-20 15:19:53 EST DEBUG: received password packet
> 2013-06-20 15:19:53 EST DEBUG: CommitTransaction
> 2013-06-20 15:19:53 EST DEBUG: name: unnamed; blockState: STARTED;
> state: INPROGR, xid/subid/cid: 0/1/0, nestlvl: 1, children:
> 2013-06-20 15:19:56 EST DEBUG: shmem_exit(0): 7 callbacks to make
> 2013-06-20 15:19:56 EST DEBUG: proc_exit(0): 3 callbacks to make
> 2013-06-20 15:19:56 EST DEBUG: exit(0)
> 2013-06-20 15:19:56 EST DEBUG: shmem_exit(-1): 0 callbacks to make
> 2013-06-20 15:19:56 EST DEBUG: proc_exit(-1): 0 callbacks to make
> 2013-06-20 15:19:56 EST DEBUG: reaping dead processes
> 2013-06-20 15:19:56 EST DEBUG: server process (PID 15901) exited with
> exit code 0
>
> However around 10% of the time (although this varies) the session hangs
> after I type in my password till the auth timeout and I see this:
>
> 2013-06-20 15:07:46 EST DEBUG: forked new backend, pid=15587 socket=10
> 2013-06-20 15:07:46 EST DEBUG: edb-postgres child[15587]: starting with (
> 2013-06-20 15:07:46 EST DEBUG: edb-postgres
> 2013-06-20 15:07:46 EST DEBUG: dccn
> 2013-06-20 15:07:46 EST DEBUG: )
> 2013-06-20 15:07:46 EST DEBUG: InitPostgres
> 2013-06-20 15:07:46 EST DEBUG: my backend ID is 1
> 2013-06-20 15:07:46 EST DEBUG: StartTransaction
> 2013-06-20 15:07:46 EST DEBUG: name: unnamed; blockState: DEFAULT;
> state: INPROGR, xid/subid/cid: 0/1/0, nestlvl: 1, children:
> 2013-06-20 15:07:46 EST DEBUG: received password packet
> 2013-06-20 15:08:46 EST DEBUG: shmem_exit(1): 7 callbacks to make
> 2013-06-20 15:08:46 EST DEBUG: proc_exit(1): 3 callbacks to make
> 2013-06-20 15:08:46 EST DEBUG: exit(1)
> 2013-06-20 15:08:46 EST DEBUG: shmem_exit(-1): 0 callbacks to make
> 2013-06-20 15:08:46 EST DEBUG: proc_exit(-1): 0 callbacks to make
> 2013-06-20 15:08:46 EST DEBUG: reaping dead processes
> 2013-06-20 15:08:46 EST DEBUG: server process (PID 15587) exited with
> exit code 1
>
> Anyone have any ideas? I never see this with MD5.
>
> I can multiple quickfire binds from an LDAP application and the same bind
> DN with no problems.
>
>
Sounds like an issue either with your ldap server, your network or the ldap
client library. But it's kind of hard to tell. You're probably best off
getting a network trace of the traffic between the ldap server and
postgres, to see how far it gets at all - that's usually a good pointer
when it comes to timeouts.

Also, what version of postgres (looks from the names that this might be edb
advanced server and not actually postgres? In that case you might be better
off talking to the EDB people - they may have made some modifications to
the ldap code perhaps)?

What OS?
Versions?
What ldap client and version?
What ldap server?

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/