LDAP recovery?

Daniel Fisher dfisher at vt.edu
Tue Apr 9 23:04:17 EDT 2019


On Tue, Apr 9, 2019 at 3:10 PM Paul B. Henson <henson at cpp.edu> wrote:

> I don't remember seeing these before in the same scenario. It looks like
> when this occurs the idp simply fails the LDAP query and presumably
> whatever login transaction was attempted at that time? I would expect on an
> LDAP failure for it to try to reconnect to the LDAP server and reissue the
> query, which would work, as the reconnection would hit a different backend
> service to the load balancer that wasn't bound. I haven't received any
> complaints, but presumably people would just retry once or twice and it
> would work so we might not get any. In my interpreting this correctly as a
> failure, and if so, is there any way to get it to not fail and retry
> instead?


Your load balancer should send resets to all client connections in this
scenario, that will allow the active query to retry properly. A response
timeout does not cause a retry, it's handled as an error as is typically an
indication that your query is missing an index.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190409/71491076/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6317 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20190409/71491076/attachment.p7s>


More information about the users mailing list