Are you thinking rlm_ldap opens a new connection for each query and isn't "properly" closing the "old" ones?
I would *think* that connections between rlm_ldap and the ldap server are reused / reentrant / whatever, such that a new connection is not needed for every query? I hope it doesn't open a new connection each time, but if so, perhaps you need to set a connection timeout really low and the max connections really high? Perhaps use netstat or some connection logging to see what's up? G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org] On Behalf Of Maresca, Steven Sent: Tuesday, February 08, 2011 1:15 PM To: FreeRadius users mailing list Subject: RE: rlm_ldap error "All ldap connections are in use" I am the LDAP admin :). The lookup being performed is simply existence of the uid, and no more. Queries to the LDAP server are essentially instantaneous and indexing is on uid. That's why this is particularly curious - the LDAP server is operating perfectly by every metric, but freeradius rlm_ldap is running out of connections in its pool. -s ________________________________________ From: freeradius-users-bounces+steven.maresca=uconn....@lists.freeradius.org [freeradius-users-bounces+steven.maresca=uconn....@lists.freeradius.org] On Behalf Of Alexander Clouter [[email protected]] Sent: Tuesday, February 08, 2011 2:05 PM To: [email protected] Subject: Re: rlm_ldap error "All ldap connections are in use" Maresca, Steven <[email protected]> wrote: > > I'm experiencing rlm_ldap errors "All ldap connections are in use" > fairly regularly, even after adjusting 'ldap_connections_number' in > radiusd.conf to a fairly high value. > > Aside from failed authentications corresponding with these errors, > everything is behaving properly. The LDAP server itself is responding > correctly when queried, and it is running on localhost. > > Any suggestions for alleviating congestion or otherwise preventing > this problem? > Although it might be local and 'working', the queries you make against the LDAP server could be taking 5 seconds a piece (which sounds like the effect of the problem you are experiencing). Check that you are not making needlessly expensive lookups on your LDAP server, such as: ---- (&(uid=bob)(accountstate=enabled)) ---- When instead you should use: ---- (&(objectclass=user)(uid=bob)(accountstate=enabled)) ---- As well as checking that your queries are sane, also check that your LDAP database is properly indexed. Speak to your local LDAP admin for advice. Cheers -- Alexander Clouter .sigmonster says: That that is is that that is not is not. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
