Hello the list,
We've got a number (hundreds) of hosts inside a private network, these all query the FreeIPA server for user and group information using NAT and a gateway server.
However we're having issues with the LDAP queries timing out or becoming unresponsive.
Is there a limit on the number of concurrent connections from a single host (e.g. the NAT gateway)?
Is there a way of increasing the number of simultaneous connections to FreeIPA/dirsrv?
Regards,
Aaron
Does sssd caching of privileges is working? I mean, suppose if there is no reply from IPA-server, it should use local cache for existing users.
2017-12-11 0:08 GMT+03:00 Aaron Hicks via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hello the list,
We’ve got a number (hundreds) of hosts inside a private network, these all query the FreeIPA server for user and group information using NAT and a gateway server.
However we’re having issues with the LDAP queries timing out or becoming unresponsive.
Is there a limit on the number of concurrent connections from a single host (e.g. the NAT gateway)?
Is there a way of increasing the number of simultaneous connections to FreeIPA/dirsrv?
Regards,
Aaron
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Andrew,
I’m afraid it’s often happening during the initial population if the cache. Also these host are all LDAP only and caching with nscd, as they only need user and group name resolution. This was done to minimise changes to their software image as they’re stateless/diskless hosts.
Get Outlook for iOShttps://aka.ms/o0ukef ________________________________ From: Andrew Radygin randrewg@gmail.com Sent: Monday, December 11, 2017 7:54:45 PM To: FreeIPA users list Cc: Aaron Hicks Subject: Re: [Freeipa-users] FreeIPA connection limits?
Does sssd caching of privileges is working? I mean, suppose if there is no reply from IPA-server, it should use local cache for existing users.
2017-12-11 0:08 GMT+03:00 Aaron Hicks via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org>: Hello the list,
We’ve got a number (hundreds) of hosts inside a private network, these all query the FreeIPA server for user and group information using NAT and a gateway server.
However we’re having issues with the LDAP queries timing out or becoming unresponsive.
Is there a limit on the number of concurrent connections from a single host (e.g. the NAT gateway)?
Is there a way of increasing the number of simultaneous connections to FreeIPA/dirsrv?
Regards,
Aaron
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org
-- Best regards, Andrew.
On Mon, Dec 11, 2017 at 10:08:50AM +1300, Aaron Hicks via FreeIPA-users wrote:
Hello the list,
We've got a number (hundreds) of hosts inside a private network, these all query the FreeIPA server for user and group information using NAT and a gateway server.
However we're having issues with the LDAP queries timing out or becoming unresponsive.
Is there a limit on the number of concurrent connections from a single host (e.g. the NAT gateway)?
Is there a way of increasing the number of simultaneous connections to FreeIPA/dirsrv?
Are you using a trust to AD? In this case you might hit https://pagure.io/freeipa/issue/5464.
bye, Sumit
Regards,
Aaron
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
No, our FreeIPA instance is stand alone, but we’ll be implementing replication soon.
Get Outlook for iOShttps://aka.ms/o0ukef ________________________________ From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Monday, December 11, 2017 9:06:53 PM To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose Subject: [Freeipa-users] Re: FreeIPA connection limits?
On Mon, Dec 11, 2017 at 10:08:50AM +1300, Aaron Hicks via FreeIPA-users wrote:
Hello the list,
We've got a number (hundreds) of hosts inside a private network, these all query the FreeIPA server for user and group information using NAT and a gateway server.
However we're having issues with the LDAP queries timing out or becoming unresponsive.
Is there a limit on the number of concurrent connections from a single host (e.g. the NAT gateway)?
Is there a way of increasing the number of simultaneous connections to FreeIPA/dirsrv?
Are you using a trust to AD? In this case you might hit https://pagure.io/freeipa/issue/5464.
bye, Sumit
Regards,
Aaron
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 12/10/2017 01:08 PM, Aaron Hicks via FreeIPA-users wrote:
We’ve got a number (hundreds) of hosts inside a private network, these all query the FreeIPA server for user and group information using NAT and a gateway server.
However we’re having issues with the LDAP queries timing out or becoming unresponsive.
Is there a limit on the number of concurrent connections from a single host (e.g. the NAT gateway)?
I'm not aware of such a limit in 389-ds, but if there were one, I'd expect you to see a fast lookup failure, rather than a timeout.
Instead, you might want to investigate the NAT gateway. The common case with NAT gateways is a fairly short TCP timeout which causes long-lived by infrequently-used connections to time out, producing the kind of unresponsive behavior you're describing. In that case, you might need to increase the NAT timeout on the gateway. If that's not an option, you should migrate to sssd instead of nscd. sssd has a configurable idle timeout, so that you can configure the systems to disconnect after an idle period that matches whatever limit is imposed by your NAT gateway.
Is there a way of increasing the number of simultaneous connections to FreeIPA/dirsrv?
Determine whether or not that's the problem, first. Maybe monitor your FreeIPA server connections. Once a minute, record the output of "ss -ta | grep :389 | grep ESTAB". If you're seeing clients hang when there are different numbers of active connections at the server, it's less likely to be a FreeIPA problem, and more likely to be a NAT problem.
freeipa-users@lists.fedorahosted.org