Postgres Pro
Downloads
Home   >   mailing lists

Re: LDAP authentication timing out - Mailing list pgsql-general

From Magnus Hagander
Subject Re: LDAP authentication timing out
Date
Msg-id CABUevEx84SHU84KS7zRAbYggQDrKF31kM=u3X3dUWBEKpG4t8Q@mail.gmail.com
Whole thread Raw
In response to LDAP authentication timing out  (James Sewell <james.sewell@lisasoft.com>)
Responses Re: LDAP authentication timing out  (James Sewell <james.sewell@lisasoft.com>)
List pgsql-general
Tree view
On Thu, Jun 20, 2013 at 7:24 AM, James Sewell <james.sewell@lisasoft.com> wrote:
Hello All,

I have the following config:

host    samerole        +myrole         samenet            ldap ldapserver="ldap1,ldap2,ldap3" ldapbinddn="mybinddn" ldapbindpasswd="mypass" ldapbasedn="mybase" ldapsearchattribute="myatt"

Usually auth works perfectly with LDAP (starting a session from psql using an LDAP connection, authenticating with the LDAP password then exiting straight away) I see this: 

2013-06-20 15:19:53 EST DEBUG:  edb-postgres child[15901]: starting with (
2013-06-20 15:19:53 EST DEBUG:  forked new backend, pid=15901 socket=10
2013-06-20 15:19:53 EST DEBUG:          edb-postgres
2013-06-20 15:19:53 EST DEBUG:          dccn
2013-06-20 15:19:53 EST DEBUG:  )
2013-06-20 15:19:53 EST DEBUG:  InitPostgres
2013-06-20 15:19:53 EST DEBUG:  my backend ID is 1
2013-06-20 15:19:53 EST DEBUG:  StartTransaction
2013-06-20 15:19:53 EST DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR, xid/subid/cid: 0/1/0, nestlvl: 1, children:
2013-06-20 15:19:53 EST DEBUG:  received password packet
2013-06-20 15:19:53 EST DEBUG:  CommitTransaction
2013-06-20 15:19:53 EST DEBUG:  name: unnamed; blockState:       STARTED; state: INPROGR, xid/subid/cid: 0/1/0, nestlvl: 1, children:
2013-06-20 15:19:56 EST DEBUG:  shmem_exit(0): 7 callbacks to make
2013-06-20 15:19:56 EST DEBUG:  proc_exit(0): 3 callbacks to make
2013-06-20 15:19:56 EST DEBUG:  exit(0)
2013-06-20 15:19:56 EST DEBUG:  shmem_exit(-1): 0 callbacks to make
2013-06-20 15:19:56 EST DEBUG:  proc_exit(-1): 0 callbacks to make
2013-06-20 15:19:56 EST DEBUG:  reaping dead processes
2013-06-20 15:19:56 EST DEBUG:  server process (PID 15901) exited with exit code 0

However around 10% of the time (although this varies) the session hangs after I type in my password till the auth timeout and I see this:

2013-06-20 15:07:46 EST DEBUG:  forked new backend, pid=15587 socket=10
2013-06-20 15:07:46 EST DEBUG:  edb-postgres child[15587]: starting with (
2013-06-20 15:07:46 EST DEBUG:          edb-postgres
2013-06-20 15:07:46 EST DEBUG:          dccn
2013-06-20 15:07:46 EST DEBUG:  )
2013-06-20 15:07:46 EST DEBUG:  InitPostgres
2013-06-20 15:07:46 EST DEBUG:  my backend ID is 1
2013-06-20 15:07:46 EST DEBUG:  StartTransaction
2013-06-20 15:07:46 EST DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR, xid/subid/cid: 0/1/0, nestlvl: 1, children:
2013-06-20 15:07:46 EST DEBUG:  received password packet
2013-06-20 15:08:46 EST DEBUG:  shmem_exit(1): 7 callbacks to make
2013-06-20 15:08:46 EST DEBUG:  proc_exit(1): 3 callbacks to make
2013-06-20 15:08:46 EST DEBUG:  exit(1)
2013-06-20 15:08:46 EST DEBUG:  shmem_exit(-1): 0 callbacks to make
2013-06-20 15:08:46 EST DEBUG:  proc_exit(-1): 0 callbacks to make
2013-06-20 15:08:46 EST DEBUG:  reaping dead processes
2013-06-20 15:08:46 EST DEBUG:  server process (PID 15587) exited with exit code 1

Anyone have any ideas? I never see this with MD5.

I can multiple quickfire binds from an LDAP application and the same bind DN with no problems.


Sounds like an issue either with your ldap server, your network or the ldap client library. But it's kind of hard to tell. You're probably best off getting a network trace of the traffic between the ldap server and postgres, to see how far it gets at all  - that's usually a good pointer when it comes to timeouts.

Also, what version of postgres (looks from the names that this might be edb advanced server and not actually postgres? In that case you might be better off talking to the EDB people - they may have made some modifications to the ldap code perhaps)?

What OS?
Versions?
What ldap client and version?
What ldap server?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

pgsql-general by date:

Previous
From: 高健
Date:
Subject: Tow kinds of different result while using create index concurrently
Next
From: Magnus Hagander
Date:
Subject: Re: Snapshot backups