3:08 p.m.
Hello the list,
We've got a number (hundreds) of hosts inside a private network, these all
query the FreeIPA server for user and group information using NAT and a
gateway server.
However we're having issues with the LDAP queries timing out or becoming
unresponsive.
Is there a limit on the number of concurrent connections from a single host
(e.g. the NAT gateway)?
Is there a way of increasing the number of simultaneous connections to
FreeIPA/dirsrv?
Regards,
Aaron
12:54 a.m.
Does sssd caching of privileges is working?
I mean, suppose if there is no reply from IPA-server, it should use local
cache for existing users.
2017-12-11 0:08 GMT+03:00 Aaron Hicks via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>:
Hello the list,
We’ve got a number (hundreds) of hosts inside a private network, these all
query the FreeIPA server for user and group information using NAT and a
gateway server.
However we’re having issues with the LDAP queries timing out or becoming
unresponsive.
Is there a limit on the number of concurrent connections from a single
host (e.g. the NAT gateway)?
Is there a way of increasing the number of simultaneous connections to
FreeIPA/dirsrv?
Regards,
Aaron
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
Best regards, Andrew.
12:52 p.m.
Hi Andrew,
I’m afraid it’s often happening during the initial population if the cache. Also these
host are all LDAP only and caching with nscd, as they only need user and group name
resolution. This was done to minimise changes to their software image as they’re
stateless/diskless hosts.
Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Andrew Radygin <randrewg(a)gmail.com>
Sent: Monday, December 11, 2017 7:54:45 PM
To: FreeIPA users list
Cc: Aaron Hicks
Subject: Re: [Freeipa-users] FreeIPA connection limits?
Does sssd caching of privileges is working?
I mean, suppose if there is no reply from IPA-server, it should use local cache for
existing users.
2017-12-11 0:08 GMT+03:00 Aaron Hicks via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>:
Hello the list,
We’ve got a number (hundreds) of hosts inside a private network, these all query the
FreeIPA server for user and group information using NAT and a gateway server.
However we’re having issues with the LDAP queries timing out or becoming unresponsive.
Is there a limit on the number of concurrent connections from a single host (e.g. the NAT
gateway)?
Is there a way of increasing the number of simultaneous connections to FreeIPA/dirsrv?
Regards,
Aaron
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
--
Best regards, Andrew.
2:06 a.m.
On Mon, Dec 11, 2017 at 10:08:50AM +1300, Aaron Hicks via FreeIPA-users wrote:
Hello the list,
We've got a number (hundreds) of hosts inside a private network, these all
query the FreeIPA server for user and group information using NAT and a
gateway server.
However we're having issues with the LDAP queries timing out or becoming
unresponsive.
Is there a limit on the number of concurrent connections from a single host
(e.g. the NAT gateway)?
Is there a way of increasing the number of simultaneous connections to
FreeIPA/dirsrv?
Are you using a trust to AD? In this case you might hit
https://pagure.io/freeipa/issue/5464.
bye,
Sumit
Regards,
Aaron
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
12:48 p.m.
No, our FreeIPA instance is stand alone, but we’ll be implementing replication soon.
Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Sumit Bose via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Monday, December 11, 2017 9:06:53 PM
To: freeipa-users(a)lists.fedorahosted.org
Cc: Sumit Bose
Subject: [Freeipa-users] Re: FreeIPA connection limits?
On Mon, Dec 11, 2017 at 10:08:50AM +1300, Aaron Hicks via FreeIPA-users wrote:
Hello the list,
We've got a number (hundreds) of hosts inside a private network, these all
query the FreeIPA server for user and group information using NAT and a
gateway server.
However we're having issues with the LDAP queries timing out or becoming
unresponsive.
Is there a limit on the number of concurrent connections from a single host
(e.g. the NAT gateway)?
Is there a way of increasing the number of simultaneous connections to
FreeIPA/dirsrv?
Are you using a trust to AD? In this case you might hit
https://pagure.io/freeipa/issue/5464.
bye,
Sumit
Regards,
Aaron
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
1:55 p.m.
On 12/10/2017 01:08 PM, Aaron Hicks via FreeIPA-users wrote:
We’ve got a number (hundreds) of hosts inside a private network, these
all query the FreeIPA server for user and group information using NAT
and a gateway server.
However we’re having issues with the LDAP queries timing out or
becoming unresponsive.
Is there a limit on the number of concurrent connections from a single
host (e.g. the NAT gateway)?
I'm not aware of such a limit in 389-ds, but if there were one, I'd
expect you to see a fast lookup failure, rather than a timeout.
Instead, you might want to investigate the NAT gateway. The common case
with NAT gateways is a fairly short TCP timeout which causes long-lived
by infrequently-used connections to time out, producing the kind of
unresponsive behavior you're describing. In that case, you might need
to increase the NAT timeout on the gateway. If that's not an option,
you should migrate to sssd instead of nscd. sssd has a configurable idle
timeout, so that you can configure the systems to disconnect after an
idle period that matches whatever limit is imposed by your NAT gateway.
Is there a way of increasing the number of simultaneous connections
to
FreeIPA/dirsrv?
Determine whether or not that's the problem, first. Maybe monitor your
FreeIPA server connections. Once a minute, record the output of "ss -ta
| grep :389 | grep ESTAB". If you're seeing clients hang when there are
different numbers of active connections at the server, it's less likely
to be a FreeIPA problem, and more likely to be a NAT problem.
2335
days inactive
2336
days old
freeipa-users@lists.fedorahosted.org
5 comments
4 participants
participants (4)
-
Aaron Hicks -
Andrew Radygin -
Gordon Messmer -
Sumit Bose