LDAP authentication works for a bit then fails and can't recover

Hello everyone,

I'm running a server for about 200 people and using ldap for authentication and vCard info. We've applied the ldap ssl patches as well so connections from ejabberd->ldap are using tls.

The problem we're having is that the server runs fine for anywhere from 4-24hours and then the ldap connections stop being able to make searches or binds. Users with existing connections are unaffected, but any attempts to make any vCard requests or authenticate fail.

I haven't determined if is related yet, but for the sake of completion, our ldap server is configured to disconnect idle connections (which causes ejabberd to recycle many connections in the pool) on a pretty short timeout.

Any help would be greatly appreciated.

Logs/Config after the jump

Yours,
timlin45

The logs show entries like this when the failure mode is present:

=ERROR REPORT==== 2009-03-12 16:48:44 ===
E(<0.6393.0>:eldap_pool:69) : LDAP request failed: eldap:search([[{base,
                                                                   "o=somedomain.com"},
                                                                  {filter,
                                                                   {'and',
                                                                    [{equalityMatch,
                                                                      {'AttributeValueAssertion',
                                                                       "uid",
                                                                       "someuser"}},
                                                                     {equalityMatch,
                                                                      {'AttributeValueAssertion',
                                                                       "objectClass",
                                                                       "account"}}]}},
                                                                  {attributes,
                                                                   []}]])
Reason: {shutdown,
            {gen_fsm,sync_send_event,
                [<0.192.0>,
                 {search,
                     {eldap_search,wholeSubtree,"o=somedomain.com",
                         {'and',
                             [{equalityMatch,
                                  {'AttributeValueAssertion',"uid","someuser"}},
                              {equalityMatch,
                                  {'AttributeValueAssertion',"objectClass",
                                      "account"}}]},
                         0,[],false,0}},
                 infinity]}}

=INFO REPORT==== 2009-03-12 16:48:44 ===
I(<0.6393.0>:ejabberd_c2s:578) : ({socket_state,tls,{tlssock,#Port<0.7788>,#Port<0.7790>},<0.6392.0>}) Failed authentication for someuser@somedomain.com

We're running release 2.0.3 in a single server configuration.

{auth_method, ldap}.
%%
%% List of LDAP servers:
{ldap_servers, ["ldap.somedomain.com"]}.
%%
%% Encryption of connection to LDAP servers:
{ldap_encrypt, tls}.
%%
%% Port connect to LDAP server:
{ldap_port, 636}.
%%
%% LDAP manager:
%%{ldap_rootdn, "dc=example,dc=com"}.
%%
%% Password to LDAP manager:
%%{ldap_password, "******"}.
%%
%% Search base of LDAP directory:
{ldap_base, "o=somedomain.com"}.
%%
%% LDAP attribute that holds user ID:
{ldap_uids, [{"uid", "%u"}]}.
%%
%% LDAP filter:
{ldap_filter, "(objectClass=account)"}.



[
  {mod_adhoc,    []},
  {mod_announce, [{access, announce}]}, % recommends mod_adhoc
  {mod_admin_extra, []},
  {mod_caps,     []},
  {mod_configure,[]}, % requires mod_adhoc
  {mod_disco,    []},
  {mod_echo,   [{host, "myself"}]},
  {mod_irc,      []},
  {mod_last,     []},
  {mod_muc,      [
                  %%{host, "conference.@HOST@"},
                  {access, muc},
                  {access_create, muc},
                  {access_persistent, muc},
                  {access_admin, muc_admin}
                 ]},
  %%{mod_muc_log,[]},
  {mod_offline,  []},
  {mod_privacy,  []},
  {mod_private,  []},
  %%{mod_proxy65,[]},
  {mod_pubsub,   [ % requires mod_caps
                  {access_createnode, pubsub_createnode},
                  {plugins, ["default", "pep"]}
                 ]},
  {mod_roster,   []},
  %%{mod_service_log,[]},
  {mod_shared_roster,[]},
  {mod_stats,    []},
  {mod_time,     []},
  {mod_vcard_ldap,    [{ldap_vcard_map, [{"NICKNAME", "%s", ["gecos"] },
                                         {"DESC", "%s", ["description"]},
                                         {"TEL", "%s", ["telephoneNumber"]},
                                         {"EMAIL", "%s", ["mail"]},
                                         {"PHOTO", "%s", ["jpegPhoto"]}
                                        ]}
                      ]},
  {mod_version,  []}
 ]}.
Syndicate content