The issue here (IIUC) is that SSSD keeps the LDAP connection when operation is finished and then the connection is reused on the next occasion. If there is a long gap in communication, the firewall may drop the information about a particular connection from the NAT table.

Here shortening of `ldap_connection_expire_timeout` (default 15 minutes!) might help. Be careful, shortening this timeout too much may increase load on the LDAP server. Ideally ask the firewall guy for how long the NAT information is kept on FW and set `ldap_connection_expire_timeout` to a little bit shorter value.

HTH

Tom

On Mon, Sep 2, 2024 at 5:11 AM Spike White <spikewhitetx@gmail.com> wrote:

I'm a bit confused as to your exact problem.

By default, LDAP queries time out after 6 seconds. (ldap_query_timeout). Is your problem that LDAP queries are taking too wrong to run? More than 6 seconds? And because of that, they're timing out?

Or are you saying after a period of perceived inactivity, your NAT setup on your network switch gets dropped, so you need some sort of keep-alive in order to keep this NAT mapping alive at all times?

Spike

On Sun, Sep 1, 2024 at 8:28 PM Jaehwan Kim <espoire@samsung.com> wrote:
Hello.

We've got a number (thousands) of hosts inside a private network of cloud environment.
These all query the FreeIPA server for user and group information using NAT and a gateway server.
However we're having issues with the LDAP queries timing out or becoming unresponsive due to NAT timeout.
In order to prevent hosts (clients) from being disconnected due to NAT timeout, we wish to try some sssd timeout values.
Because we have difficulty to find out proper timeout of sssd.conf.5 manual pages (website), can you advice us on the proper timeout or propose other way?

Thank you.
JHK
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue