Project

General

Profile

Actions
Copy link

Bug #12715

open

Long system startup time when LDAP is configured and unavailable during startup.

Added by Christian McDonald almost 3 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Christian McDonald
Category:
Authentication
Target version:
CE-Next
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Plus-Next
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

  1. Currently if LDAP is unavailable at system startup, several LDAP queries have to timeout before the system will proceed with startup. There is no recycling of connections, so n LDAP queries requires n separate connections, and thus n separate timeouts. This results in a hang at startup that is several minutes long in some cases, probably dependent on the number of LDAP calls that are required (e.g. n * LDAP_timeout).
  2. If LDAP is unavailable during system startup, the system will appear to hang at "Synchronizing user settings..."
  3. This is unavoidable if LDAP connectivity relies on a VPN (e.g. IPsec, WireGuard, etc.), FRR for dynamic routes, etc...these services are started later in the startup process.
  4. We should implement some sort of global state that will prevent subsequent LDAP queries if one times out during system startup, as subsequent attempts are likely to fail as well.

Related to https://redmine.pfsense.org/issues/11644

Actions
Copy link
 #1

Updated by Viktor Gurov almost 3 years ago

Christian McDonald wrote:

  1. Currently if LDAP is unavailable at system startup, several LDAP queries have to timeout before the system will proceed with startup. There is no recycling of connections, so n LDAP queries requires n separate connections, and thus n separate timeouts. This results in a hang at startup that is several minutes long in some cases, probably dependent on the number of LDAP calls that are required (e.g. n * LDAP_timeout).
  2. If LDAP is unavailable during system startup, the system will appear to hang at "Synchronizing user settings..."
  3. This is unavoidable if LDAP connectivity relies on a VPN (e.g. IPsec, WireGuard, etc.), FRR for dynamic routes, etc...these services are started later in the startup process.
  4. We should implement some sort of global state that will prevent subsequent LDAP queries if one times out during system startup, as subsequent attempts are likely to fail as well.

But what if we have an unstable connection to the LDAP server? It fails on startup, but ok later?

Related to https://redmine.pfsense.org/issues/11644

This issue is not related to #11644

Actions
Copy link

Also available in: Atom PDF