> On Mon, 14 Feb 2005, Dustin Doris wrote: > > > On Mon, 14 Feb 2005, Joe H wrote: > > > > > On Sat, 12 Feb 2005, energy wrote: > > > > > > > Sorry, I'm just a lurker on this list and certainly no expert. However, > > > > last > > > > time I saw someone mention this issue it had to do with log rotation. > > > > Check > > > > to make sure logs are not being rotated every hour. > > > > > > > > Anyway, just a thought. > > > > > > > The accounting logs are on a seperate server so those logs shouldn't > > > effect it. The radius.log file is rotated once a month and the ldap logs > > > are rotated hourly because they get so large so fast, but it's done on the > > > hour and the timeouts happen anytime. > > > > > > Thanks for the input. > > > > > > Joe H. > > > > > > > > > > On Friday 11 February 2005 13:25, Joe H wrote: > > > > > I work for an ISP with about 75,000 users. The user information > > > > > is stored in and ldap database which freeradius uses to > > > > > authenticate against. On a fairly regular basis I've been > > > > > seeing radius timeouts for no appearent reason. It doesn't seem > > > > > to be a server load issue and nothing is showing up in the logs. > > > > > I've noticed that it seems to be pretty consistant time wise. > > > > > Some people have reported it happening every hour or so and it > > > > > seems to happen almost exactly an hour after it happened the > > > > > previous time. for instance, if it first happend at 10:38am, it > > > > > would most likely happen again at 11:38am. It's usually being > > > > > noticed on email clients as they check email on pretty regular > > > > > basis. > > > > > > > > > > My question is, has anyone else noticed symptoms similar to > > > > > these? I know it seems pretty strange but I figured I'd check. > > > > > I'm working on setting up monitoring and possibly a little more > > > > > verbose logging but thought asking here might help point me in > > > > > the right direction. System information below. > > > > > > > > > > OS - freebsd 4.10 > > > > > freeradius - 1.0.1 > > > > > openldap - 2.2.19 > > > > > > > > > > load on the box is pretty low so that shouldn't be an issue. > > > > > > > > > > Joe H. > > > > > > > > > First, do you think you could get lucky enough to capture one of those in > > debug mode? Perhaps if you encounter one you could fire up radius in > > debug mode about 59 minutes later? > > > > Also, can you do an ldapsearch from the command line with a resonable > > response time during one of those periods? > > > > If not, then what backend are you using for ldap? If you are using BDB > > what are your DB_CONFIG settings? Also, do you have checkpoint set in > > your slapd.conf file? > > > This is a production machine so messing with radius during the day is > pretty much out but I haven't tried catching one at night. ldapsearch is > pretty fast but I've never specifically tried one during one of the > timeouts, I'll see what I can do. > > We are currently using ldbm for our ldap backend. Is BDB a better choice > for this kind of thing? > > Joe H. >
I use ldbm as well in production right now, but we are running old 2.0 openldap code. With the new versions they recommend bdb as a backend, specifically 4.2.52 with the patches. That should be what is installed when you install openldap 2.2x from ports in freebsd. 4.3 has shown some problems with 2.2, so I wouldn't go that route. They will be officially supporting 4.3 in the 2.3 release, whenever that happens. I've been using bdb in the lab right now and its been working great for us, plus has some enhanced features like db_recover and setting specific things in your DB_CONFIG file such as how big you want the cache to be. There is a lot of info in the FAQ on openldap.org that will recommend it and say why. But, its a lot harder to configure because you have to learn BDB. LDBM for us was just plug in and go when I originally set it up. But, back to your problem. I'm not sure if the backend is related. I would be interested to know if the slowdown is in fact ldap related. If you can ever get lucky and run an ldapsearch when the timeouts are occuring, that could help isolate the problem. We've never had issues like that, though. You could also try (as you suggested) increasing your logging on ldap and see if you can notice anything in the openldap logs. If you think it might be ldap related, you could also check your ldap queries and make sure that the particular queries you are making are properly indexed. My searches are pretty simple, so I only index objectClass, uid, and radiusGroupname with an eq index. That covers every search we make pretty well. The fact that it seems to happen at certain intervals, really makes it sound like a rogue cronjob or backup. Perhaps even one of those that is taking place on the ldap server(s). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
