We're running ejabberd 17.07 on an Ubuntu 17.10 VM, and authenticating against an Active Directory on Windows Server 2012 R2.
This mostly works, but several times a day, logging in fails. It appears ejabberd runs into a timeout trying to look up information from the LDAP server. Restarting the daemon like so:
sudo ejabberdctl restart
...obviously kicks everyone out, but afterwards, logging in immediately works again.
I see no apparent related logs on the Windows end (I've looked in the Security and Directory Service logs), suggesting authentication wasn't actually attempd. However, on the ejabberd side, logs like this one sometimes show up:
2018-04-30 13:08:05.560 [error] <0.587.0>@eldap_pool:do_request:75 LDAP request failed: timed out
And when relaunching the server, this one:
2018-04-30 14:58:35.524 [error] <0.793.0>@eldap_pool:do_request:77 LDAP request failed: eldap:search([[{base,<<"ou=Mitarbeiter,dc=…,dc=local">>},{filter,{and,[{equalityMatch,{'AttributeValueAssertion',<<"objectCategory">>,<<"group">>}},{equalityMatch,{'AttributeValueAssertion',<<"cn">>,<<"Alle Mitarbeiter">>}}]}},{timeout,5},{deref_aliases,never},{attributes,[<<"sAMAccountName">>]}]])
Reason: {shutdown,{gen_fsm,sync_send_event,[<0.462.0>,{search,{eldap_search,wholeSubtree,<<"ou=Mitarbeiter,dc=trenz,dc=local">>,{and,[{equalityMatch,{'AttributeValueAssertion',<<"objectCategory">>,<<"group">>}},{equalityMatch,{'AttributeValueAssertion',<<"cn">>,<<"Alle Mitarbeiter">>}}]},0,[<<"sAMAccountName">>],false,neverDerefAliases,5}},110500]}}
Notice the "reason: shutdown" part.
Cursory searches suggest this is related to TCP keepalive settings, namely: it appears ejabberd expects the LDAP connection to be left open, whereas Active Directory (silently) expects the request to be a single transaction. Is my understanding of this roughly correct?
If so, short of patching the ejabberd binary like suggested here and in other places, what can I do?
(I've also tried, to no avail, to tweak keepalive settings on the Linux machine.)
0 Answers