LDAP > timeout

[nd0]

Hi,

i already tried it in the german part of this forum, but received no answer (and at the moment i'm not even able to find the thread).

We have mutliple backends connected to our OTRS and if one of them is not reachable (e.g. VPN down) the whole system is not working properly anymore.

The "timeout" parameter in config.pm seems to be NOT WORKING ... does anyone have ANY information about that? How did you realize that?

Thanx, Andy

[root]

Please provide you relevant part of the Config.pm

[nd0]

Hi, our config.pm is built like this:

Code: Select all

# Customer 1 #                             

    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = '[IP address]';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = '[BaseDN]';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'mail';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '[SearchUserDN]';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '[SearchUserPW]';
    
    $Self->{CustomerUser} = {
      Name => 'Customer 1',
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
        Host => '[IP address]',
        BaseDN => '[BaseDN]',
        SSCOPE => 'sub',
        UserDN =>'[UserDN]',
        UserPw => '[UserPW]',
        SourceCharset => 'utf-8',
        DestCharset => 'iso-8859-1',
        AlwaysFilter => '(&(mail=*)(extensionAttribute10=customer1))',
      },
    # customer unique id
    CustomerKey => 'mail',
    # customer #
    CustomerID => 'extensionAttribute10',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['cn', 'mail'],
    CustomerUserSearchPrefix => '*',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'mail', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserDomain', 'DomainUser', 'userPrincipalName', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'extensionAttribute10', 0, 1, 'var' ],
      [ 'UserGroupID', 'UserGroupID', 'primaryGroupID', 0, 1, 'var' ],
    ],
    };    
    
########################################################

# Customer 2 #                             

    $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host1'} = '[IP address]';
    $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = '[BaseDN]';
    $Self->{'Customer::AuthModule::LDAP::UID1'} = 'mail';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = '[SearchUserDN]';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = '[SearchUserPW]';
    
    $Self->{CustomerUser1} = {
      Name => 'Customer 2',
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
        Host => '[IP address]',
        BaseDN => '[BaseDN]',
        SSCOPE => 'sub',
        UserDN =>'[UserDN]',
        UserPw => '[UserPW]',
        SourceCharset => 'utf-8',
        DestCharset => 'iso-8859-1',
        AlwaysFilter => '(&(mail=*)(extensionAttribute10=customer2))',
      },
    # customer unique id
    CustomerKey => 'mail',
    # customer #
    CustomerID => 'extensionAttribute10',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['cn', 'mail'],
    CustomerUserSearchPrefix => '*',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'mail', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserDomain', 'DomainUser', 'userPrincipalName', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'extensionAttribute10', 0, 1, 'var' ],
      [ 'UserGroupID', 'UserGroupID', 'primaryGroupID', 0, 1, 'var' ],
    ],
    };    
    
########################################################

[...]
    

We got 11 different customer ids ... which results in 11 ldap-connections. Everything is working perfect, except if one of those ldap-connections is not available ... for that we would like to add a timeout.

Already tried it different ways - the last try was something like:

Code: Select all

$Self->{'Customer::AuthModule::LDAP::Params'} = {
      timelimit => 10,
    };

CPAN is saying that there is a parameter called "timeout" (https://metacpan.org/pod/Net::LDAP) which I was not able to set up properly:

timeout => N

Timeout passed to IO::Socket when connecting the remote server. (Default: 120)

So I did some research and found out, that the parameter "timeout" is ignored in some cases ... or maybe i did just wrong

[root]

Using

Code: Select all

timeout => 5 

in each of your

Code: Select all

Params => {..}

blocks is the solution.

[nd0]

Thx for your reply, but I added

Code: Select all

timeout = 5

in each of my

Code: Select all

Params => { ... }

Blocks, but still - if one ldap-connection does not response, it takes about 120 seconds until "index.pl?Action=AdminCustomerUser" is "loaded".

I used the test system to delete every customer except one from the config.pm. I changed the IP address to a non existing host and tried the timeout paramter 5 and '5' - without sucess - still 120 seconds "loading time".


/edit: For our agents, the config looks like this:

Code: Select all

    ########################################################
    # ---------------------------------------------------- #
    #                                                      #
    #       Agenten               #
    #                                                      #
    
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = '[IP address]';
    $Self->{'AuthModule::LDAP::BaseDN'} = '';
    $Self->{'AuthModule::LDAP::UID'} = 'mail';   
    
    $Self->{'AuthModule::LDAP::SearchUserDN'} = '[SearchUserDN]';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = '[SearchUserPW]';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(extensionAttribute10=OTRS-Agent)';
    
    $Self->{'AuthModule::LDAP::Params'} = {
      port => 389,
      timeout => 60,
      async => 0,
      version => 3,
    };
    
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = '[IP address]';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = '[BaseDN]';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'mail';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = '[SearchUserDN]'';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '[SearchUserPW]';
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
      UserFirstname => 'givenname',
      UserLastname => 'sn',
      UserEmail => 'mail',
    };
    
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
      'users',
    ]; 
    
    #                                                      #
    #                                                      #
    # ---------------------------------------------------- #
    ########################################################

There is a parameter for timeout too, and its set to 60 ... maybe this setting overwrites the other timeout parameters?!

[root]

Try

Code: Select all

timeout => 5

instead of

Code: Select all

timeout = 5

[nd0]

Sorry ... I already tried it with

Code: Select all

timeout => 5

did not try with

Code: Select all

timeout = 5

just a typo here ...

[nd0]

Push?!

Meanwhile I found: Framework -> Frontend::Customer::Auth

When I got you right, I could try to put the "timeout" param here: Customer::AuthModule::LDAP::Params ?

~~~

Is there nobody who has problems with the LDAP timeout?