Hi Andrew,

 

Single operations are fine. From the command line names resolve quickly, 
especially once cached, ldapsearch and other commands work when properly 
authenticated.

 

When the hosts behind the NAT process a job, it starts a burst of activity and 
initiating a large number of LDAP connections (multiple connections per host, 
about a hundred hosts) to refresh or initialise the credential cache. We’re 
seeing a large proportion of these initial connections timing out without a 
response, and the nscd cache not being populated, so then it happens again.

 

We’re not seeing errors in the FreeIPA or slapd logs either, well nothing that 
seems to be ‘timeout’ or ‘idle connections’ or ‘connection limit exceeded’ etc.

 

Regards,

 

Aaron

 

From: Andrew Radygin [mailto:randr...@gmail.com] 
Sent: Tuesday, 12 December 2017 8:23 AM
To: Aaron Hicks <aaron.hi...@nesi.org.nz>
Cc: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Subject: Re: [Freeipa-users] FreeIPA connection limits?

 

So are you telling, your ds-389 isn't responding to simple ldapsearch for 
instance, even if there is no huge amount of logins to hosts? Just from 
refreshing cache on host clients? But if you doesn't have sssd (that do 
kernel-caching of privileges), therefore all your clients every time doing 
ldapsearch or something like this against ds-389 (but I could be wrong).

Though I think ldap is really fast and could stand for thousands of requests.

What access and errors logs of DS showing you?

 

2017-12-11 21:52 GMT+03:00 Aaron Hicks <aaron.hi...@nesi.org.nz 
<mailto:aaron.hi...@nesi.org.nz> >:

Hi Andrew,

 

I’m afraid it’s often happening during the initial population if the cache. 
Also these host are all LDAP only and caching with nscd, as they only need user 
and group name resolution. This was done to minimise changes to their software 
image as they’re stateless/diskless hosts.

 

Get Outlook for iOS <https://aka.ms/o0ukef> 

  _____  

From: Andrew Radygin <randr...@gmail.com <mailto:randr...@gmail.com> >
Sent: Monday, December 11, 2017 7:54:45 PM
To: FreeIPA users list
Cc: Aaron Hicks
Subject: Re: [Freeipa-users] FreeIPA connection limits? 

 

Does sssd caching of privileges is working? 

I mean, suppose if there is no reply from IPA-server, it should use local cache 
for existing users.

 

2017-12-11 0:08 GMT+03:00 Aaron Hicks via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org 
<mailto:freeipa-users@lists.fedorahosted.org> >:

Hello the list,

 

We’ve got a number (hundreds) of hosts inside a private network, these all 
query the FreeIPA server for user and group information using NAT and a gateway 
server.

 

However we’re having issues with the LDAP queries timing out or becoming 
unresponsive.

 

Is there a limit on the number of concurrent connections from a single host 
(e.g. the NAT gateway)?

 

Is there a way of increasing the number of simultaneous connections to 
FreeIPA/dirsrv?

 

Regards,

 

Aaron


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
<mailto:freeipa-users@lists.fedorahosted.org> 
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
<mailto:freeipa-users-le...@lists.fedorahosted.org> 




-- 

Best regards, Andrew.




-- 

Best regards, Andrew.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to