Re: Freeradius-Users Digest, Vol 73, Issue 8

Wed, 11 May 2011 09:05:45 -0700

I finally got this figured out. It did not have anything do do with freeradius, but since others using the program might run into it, I figured I should post it here.
The arp cache of the server was limited by default to 128 addresses, which was running out pretty quickly. So I inserted and applied the values below in sysctl.conf and everything works great now. 

net.ipv4.neigh.default.gc_thresh3 = 4096
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh1 = 1024

Dan


On 05/04/2011 01:51 AM, freeradius-users-requ...@lists.freeradius.org 
wrote:

Message: 3
Date: Tue, 3 May 2011 20:56:12 +0100
From: Alexander Clouter<a...@digriz.org.uk>
Subject: Re: ldap server connection timeout
To:freeradius-users@lists.freeradius.org
Message-ID:<s73698-k73....@chipmunk.wormnet.eu>

Daniel Davidson<dani...@igb.uiuc.edu>  wrote:

>
>  My new wireless network tested great, but now that I have rolled it out
>  to the entire building, I get error messages like:

>  
>  Mon May  2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed

>  out while waiting for server to respond. Please increase the timeout.

>  
>  And when these trigger, nearly everyone gets disconnected for about 5

>  seconds.  Possible relevant code from ldap module:

>  
>  ldap {

>     #private stuff<-- BUT CRUCIAL!
>           ldap_connections_number = 15
>           timeout = 10
>           timelimit = 10
>           net_timeout = 5
>  }

>  
>  The only existing firewalls are on the machines themselves and the ip

>  range of the servers are open with each other.  Any ideas?

>  

I am guessing your LDAP server is*way*  too slow when processing the
queries are making it munch through.  Typical 'first-timer' mistakes are
that you are not indexing the important attribtues.  For example our
filter looks like:

filter = 
"(&(objectClass=Person)(|(businessCategory=staff)(businessCategory=student)(cn=avg*))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))"

This takes ~0.02s to respond for us, how long does it take to process
the query at your end (test with the following and remember to test
the server when it is under load, which is probably why it worked
before you widely deployed it):
----
time ldapsearch -h ldap-server.example.com -x -LLL '<query>'
----

Where<query>  is what you see FreeRADIUS make in the output of 'radiusd
-X'.

Cheers




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html













    











					Reply via email to