How to modify ldap.conf to switch to the secondary ldap server more quickly.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 4
  • Red Hat Enterprise Linux 5

  • nssldap

Issue

  • It takes long time to switch from primay LDAP server to the secondary LDAP server when the primary ldap server has trouble.
  • Are there some tunings to improve it?

Resolution

  • Normally "getent passwd" can reproduce this issue. "strace getent passwd" can help to troubleshoot the cause of the delay.
  • Values are in seconds so adjust this to the needs of the environment.  In this example we use 20 seconds.
  • If the delay is caused by doing search. specify a timeout value for search by editing the file /etc/ldap.conf
    timelimit 20
    

  • If the delay is caused by binding from client to LDAP server, for example, 1, if the primary server is unreachable, 2, if the LDAP daemon hangs, then "bind_timelimit" can be set to control the seconds of timeout by doing setup "bind_policy soft" and "bind_timelimit" in /etc/ldap.conf
    bind_policy soft
    bind_timelimit 20
    

Please see the man page (man nss_ldap) for details.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments