In FreeIPA we have the following architecture:
Kerberos (UDP) > KDC > RADIUS (UNIX/stream) > ipa-otpd > LDAP (UNIX/stream) > dirsrv
The middle socket (RADIUS) is long-lived (no idle timeout). This allows us to reuse the connection for multiple UDP packets, increasing speed.
The last socket is also long-lived for the same reason. However, dirsrv routinely shuts down this socket after hitting the nsslapd-idletimeout. It would be nice to avoid this.
This socket is used for proxying authentications to an LDAP bind. Thus, although the process is able to autobind, it doesn't.
It would be very nice to find a way to exempt this socket from nsslapd-idletimeout.
Metadata Update from @npmccallum: - Issue set to the milestone: 1.3.6.0
Can you just use a nsIdleTimeout on the service account with a limit of -1? That should exempt it from c_idletimeout.
Metadata Update from @firstyear: - Custom field reviewstatus adjusted to new - Issue close_status updated to: None
Metadata Update from @firstyear: - Issue assigned to firstyear
@npmccallum See my previous comment please, I think you can do this with nsIdleTimeout on the service account you bind as.
Metadata Update from @firstyear: - Custom field reviewstatus reset (from new)
No, because the socket is used for binding.
Metadata Update from @firstyear: - Issue set to the milestone: 1.4 backlog (was: 1.3.6.0)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2057
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.