are the LDAP clients always the same?

or is it more like an LDAP server does not accept TLS or SSL connections at all?

could it be a temporary situation while some large searches are processed?

are there load balancers in between?

check for LDAP server descriptors and system entropy.

check for nsslapd-enable-nunc-stans: off

ldapsearch -D "cn=directory manager" -W -b cn=config -s base nsslapd-enable-nunc-stans

may be take a pstack

Thanks,

On Mon, Dec 23, 2019 at 3:08 PM Trevor Fong <tjfong@gmail.com> wrote:

Hi Everyone,

We're running a cluster of VM's running 389-Directory/1.3.9.1 B2019.164.1418 on RHEL7.7.
Some are providers, which replicate to a bunch of hubs (which provide authentication services), which replicate in turn to a bunch of consumers (which provide support for longer running queries).
Of late, we've a few clients have noted timed out connections.
When we look in our logs we see things like:

[23/Dec/2019:00:21:50.760643645 -0800] conn=7827580 fd=469 slot=469 SSL connection from <their IP> to <our IP>
[23/Dec/2019:00:21:50.764149645 -0800] conn=7827580 TLS1.2 256-bit AES-GCM
<no other transactions on conn=7827580, until the client times out the connection>
[23/Dec/2019:00:22:05.763868515 -0800] conn=7827580 op=-1 fd=469 closed - Encountered end of file.

Others connections are made and operate just fine between the opening and closing of the timed-out connection.

Would anyone know what this could be/what we could check?

Thanks,
Trev
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org