Hello.
We've got a number (thousands) of hosts inside a private network of cloud environment. These all query the FreeIPA server for user and group information using NAT and a gateway server. However we're having issues with the LDAP queries timing out or becoming unresponsive due to NAT timeout. In order to prevent hosts (clients) from being disconnected due to NAT timeout, we wish to try some sssd timeout values. Because we have difficulty to find out proper timeout of sssd.conf.5 manual pages (website), can you advice us on the proper timeout or propose other way?
Thank you. JHK
I'm a bit confused as to your exact problem.
By default, LDAP queries time out after 6 seconds. (ldap_query_timeout). Is your problem that LDAP queries are taking too wrong to run? More than 6 seconds? And because of that, they're timing out?
Or are you saying after a period of perceived inactivity, your NAT setup on your network switch gets dropped, so you need some sort of keep-alive in order to keep this NAT mapping alive at all times?
Spike
On Sun, Sep 1, 2024 at 8:28 PM Jaehwan Kim espoire@samsung.com wrote:
Hello.
We've got a number (thousands) of hosts inside a private network of cloud environment. These all query the FreeIPA server for user and group information using NAT and a gateway server. However we're having issues with the LDAP queries timing out or becoming unresponsive due to NAT timeout. In order to prevent hosts (clients) from being disconnected due to NAT timeout, we wish to try some sssd timeout values. Because we have difficulty to find out proper timeout of sssd.conf.5 manual pages (website), can you advice us on the proper timeout or propose other way?
Thank you. JHK -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
The issue here (IIUC) is that SSSD keeps the LDAP connection when operation is finished and then the connection is reused on the next occasion. If there is a long gap in communication, the firewall may drop the information about a particular connection from the NAT table.
Here shortening of `ldap_connection_expire_timeout` (default 15 minutes!) might help. Be careful, shortening this timeout too much may increase load on the LDAP server. Ideally ask the firewall guy for how long the NAT information is kept on FW and set `ldap_connection_expire_timeout` to a little bit shorter value.
HTH Tom
On Mon, Sep 2, 2024 at 5:11 AM Spike White spikewhitetx@gmail.com wrote:
I'm a bit confused as to your exact problem.
By default, LDAP queries time out after 6 seconds. (ldap_query_timeout). Is your problem that LDAP queries are taking too wrong to run? More than 6 seconds? And because of that, they're timing out?
Or are you saying after a period of perceived inactivity, your NAT setup on your network switch gets dropped, so you need some sort of keep-alive in order to keep this NAT mapping alive at all times?
Spike
On Sun, Sep 1, 2024 at 8:28 PM Jaehwan Kim espoire@samsung.com wrote:
Hello.
We've got a number (thousands) of hosts inside a private network of cloud environment. These all query the FreeIPA server for user and group information using NAT and a gateway server. However we're having issues with the LDAP queries timing out or becoming unresponsive due to NAT timeout. In order to prevent hosts (clients) from being disconnected due to NAT timeout, we wish to try some sssd timeout values. Because we have difficulty to find out proper timeout of sssd.conf.5 manual pages (website), can you advice us on the proper timeout or propose other way?
Thank you. JHK -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hello.
In the case that ldap connection is establised between hosts and FreeIPA server and we don't do any action using that connection, the connection is closed and new connection is establised, in hosts. But FreeIPA server holds 2 connections at a time without closing the pre-existing connection.
We think that this is the very issue that Tom explaiend above. But hosts are running at aws, gcp, azure behind NAT (default NAT timeout: gcp 1200s, aws 350s, azure 240s) and we can't contol the NAT timeout value. Because we aren't members of host operation team.
Hence, we actually try to see a light data to inform NAT that the connection is alive. As in Tom's suggestion, we worry that configuring `ldap_connection_expire_timeout` to some value less than 240s may increase LDAP server peformance.
It would be very helpful if any other parameter than 'ldap_conneciton_expire_timeout' were suggested.
Thank you JHK
The situation and load will very probably not worsen by setting `ldap_connection_expire_timeout` to 240 seconds. Even now SSSD is forced to reconnect and IPA has to keep the old IP connection until it expires. So lowering `ldap_connection_expire_timeout` may improve the situation on both ends (client and server). I believe that the IPA server has also some option for how long LDAP connection is kept.
Just do not set this timeout to something very short (like 10s), otherwise SSSD may reconnect too often.
Tom
On Tue, Sep 3, 2024 at 2:26 AM Jaehwan Kim espoire@samsung.com wrote:
Hello.
In the case that ldap connection is establised between hosts and FreeIPA server and we don't do any action using that connection, the connection is closed and new connection is establised, in hosts. But FreeIPA server holds 2 connections at a time without closing the pre-existing connection.
We think that this is the very issue that Tom explaiend above. But hosts are running at aws, gcp, azure behind NAT (default NAT timeout: gcp 1200s, aws 350s, azure 240s) and we can't contol the NAT timeout value. Because we aren't members of host operation team.
Hence, we actually try to see a light data to inform NAT that the connection is alive. As in Tom's suggestion, we worry that configuring `ldap_connection_expire_timeout` to some value less than 240s may increase LDAP server peformance.
It would be very helpful if any other parameter than 'ldap_conneciton_expire_timeout' were suggested.
Thank you JHK -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org
-
Jaehwan Kim -
Spike White -
Tomas Halman