FCGI error when LDAP connections closed by intermediate network equipement
We got an annoying issue with Net::LDAP, with an installation that have a firewall between LL::NG and OpenLDAP, and that closes idle connections.
The error in LL::NG logs is:
[Tue Jun 18 15:32:39.036048 2019] [fcgid:warn] [pid 43403] [client 81.250.130.213:44870] mod_fcgid: read data timeout in 40 seconds, referer: https://auth.openid.club/?cancel=1
[Tue Jun 18 15:32:39.036110 2019] [core:error] [pid 43403] [client 81.250.130.213:44870] End of script output before headers: index.fcgi, referer: https://auth.openid.club/?cancel=1
This can be easily reproduce on a local installation by killing OpenLDAP with:
pkill -STOP slapd
The issue is in Net::LDAP, as the configured timeout onlu works when opening a connection, but not when sending an operation in a connection.
Workarounds are:
- Set idle timeout on OpenLDAP server, lower than the firewall idle timeout
olcIdleTimeout: 1800
- Change TCP keepalived timeout on LL::NG server (but this is global to all services running on this server)
sudo sysctl net.ipv4.tcp_keepalive_time=1800