[ejabberd] openLDAP sometimes authentication fail

coolix coolix at free.fr
Fri Jun 6 18:07:03 MSD 2008


Hello

I'm running ejabberd v2.0.0 with LDAP authentication. Sometimes (it
happens randomly) users are refused to connect.
This is the XML message that is echoed to them:

<iq type='error' from='my.jabber.com' id='auth_2'>\n<query
xmlns='jabber:iq:auth'>\n<username>login</username>\n<password>password</password>\n<resource>Psi</resource>\n</query>\n<error
code='401' type='auth'><not-authorized
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/></error></iq>"

I checked the LDAP log and saw ejabberd is using 2 connections to the
LDAP server. One for searching and the other one for binding.
If one of those connections are NOT established when the user tries to
log in, the authentications fails with the mentioned above XML
message.
If both are established, authentication works fine.

Isn't ejabberd supposed to send keepalive packet to avoid LDAP timeout
to be triggered ? According to the LDAP logs it seems not:
Jun 06 00:03:51  <debug> slapd[19422]: conn=9 fd=12 ACCEPT from
IP=192.168.10.30:44996 (IP=0.0.0.0:389)
Jun 06 00:03:51  <debug> slapd[19422]: conn=10 fd=13 ACCEPT from
IP=192.168.10.30:56954 (IP=0.0.0.0:389)
Jun 06 00:03:51  <debug> slapd[19662]: conn=9 op=0 BIND dn="" method=128
Jun 06 00:03:51  <debug> slapd[19662]: conn=9 op=0 RESULT tag=97 err=0 text=
Jun 06 00:03:51  <debug> slapd[19661]: conn=10 op=0 BIND dn="" method=128
Jun 06 00:03:51  <debug> slapd[19661]: conn=10 op=0 RESULT tag=97 err=0 text=
Jun 06 00:04:36  <debug> slapd[19422]: conn=9 fd=12 closed
Jun 06 00:04:36  <debug> slapd[19422]: conn=10 fd=13 closed
Jun 06 00:04:41  <debug> slapd[19422]: conn=11 fd=12 ACCEPT from
IP=192.168.10.30:52937 (IP=0.0.0.0:389)
Jun 06 00:04:41  <debug> slapd[19422]: conn=12 fd=13 ACCEPT from
IP=192.168.10.30:46782 (IP=0.0.0.0:389)
and so on...

I'm not really keen to increase the openldap timeout to infinite value.
I had a quick glance in ejabberd source code and saw there is a
RETRY_TIMEOUT. It's currently set to 5000 and i will try to set it to
a lower value like 500. As i understand  the problem this will only
narrow the gap in which auth could be potentially refused at the
expanse of an increase network traffic.

--
coolix


More information about the ejabberd mailing list