On 12/10/2017 01:08 PM, Aaron Hicks via FreeIPA-users wrote:
We’ve got a number (hundreds) of hosts inside a private network, these
all query the FreeIPA server for user and group information using NAT
and a gateway server.
However we’re having issues with the LDAP queries timing out or
becoming unresponsive.
Is there a limit on the number of concurrent connections from a single
host (e.g. the NAT gateway)?
I'm not aware of such a limit in 389-ds, but if there were one, I'd
expect you to see a fast lookup failure, rather than a timeout.
Instead, you might want to investigate the NAT gateway. The common case
with NAT gateways is a fairly short TCP timeout which causes long-lived
by infrequently-used connections to time out, producing the kind of
unresponsive behavior you're describing. In that case, you might need
to increase the NAT timeout on the gateway. If that's not an option,
you should migrate to sssd instead of nscd. sssd has a configurable idle
timeout, so that you can configure the systems to disconnect after an
idle period that matches whatever limit is imposed by your NAT gateway.
Is there a way of increasing the number of simultaneous connections
to
FreeIPA/dirsrv?
Determine whether or not that's the problem, first. Maybe monitor your
FreeIPA server connections. Once a minute, record the output of "ss -ta
| grep :389 | grep ESTAB". If you're seeing clients hang when there are
different numbers of active connections at the server, it's less likely
to be a FreeIPA problem, and more likely to be a NAT problem.