The situation and load will very probably not worsen by setting `ldap_connection_expire_timeout` to 240 seconds. Even now SSSD is forced to reconnect and IPA has to keep the old IP connection until it expires. So lowering `ldap_connection_expire_timeout` may improve the situation on both ends (client and server). I believe that the IPA server has also some option for how long LDAP connection is kept.

Just do not set this timeout to something very short (like 10s), otherwise SSSD may reconnect too often.

Tom

On Tue, Sep 3, 2024 at 2:26 AM Jaehwan Kim <espoire@samsung.com> wrote:

Hello.

In the case that ldap connection is establised between hosts and FreeIPA server and we don't do any action using that connection, the connection is closed and new connection is establised, in hosts. But FreeIPA server holds 2 connections at a time without closing the pre-existing connection.

We think that this is the very issue that Tom explaiend above.
But hosts are running at aws, gcp, azure behind NAT (default NAT timeout: gcp 1200s, aws 350s, azure 240s) and we can't contol the NAT timeout value.
Because we aren't members of host operation team.

Hence, we actually try to see a light data to inform NAT that the connection is alive.
As in Tom's suggestion, we worry that configuring `ldap_connection_expire_timeout` to some value less than 240s may increase LDAP server peformance.

It would be very helpful if any other parameter than 'ldap_conneciton_expire_timeout' were suggested.

Thank you
JHK
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue