On 12/10/2017 01:08 PM, Aaron Hicks via FreeIPA-users wrote:

We’ve got a number (hundreds) of hosts inside a private network, these all query the FreeIPA server for user and group information using NAT and a gateway server.

However we’re having issues with the LDAP queries timing out or becoming unresponsive.

Is there a limit on the number of concurrent connections from a single host (e.g. the NAT gateway)?

I'm not aware of such a limit in 389-ds, but if there were one, I'd expect you to see a fast lookup failure, rather than a timeout.

Instead, you might want to investigate the NAT gateway.  The common case with NAT gateways is a fairly short TCP timeout which causes long-lived by infrequently-used connections to time out, producing the kind of unresponsive behavior you're describing.  In that case, you might need to increase the NAT timeout on the gateway.  If that's not an option, you should migrate to sssd instead of nscd. sssd has a configurable idle timeout, so that you can configure the systems to disconnect after an idle period that matches whatever limit is imposed by your NAT gateway.

Is there a way of increasing the number of simultaneous connections to FreeIPA/dirsrv?

Determine whether or not that's the problem, first.  Maybe monitor your FreeIPA server connections.  Once a minute, record the output of "ss -ta | grep :389 | grep ESTAB".  If you're seeing clients hang when there are different numbers of active connections at the server, it's less likely to be a FreeIPA problem, and more likely to be a NAT problem.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to