ldap server connection timeout

Alexander Clouter alex at digriz.org.uk
Tue May 3 21:56:12 CEST 2011


Daniel Davidson <danield at igb.uiuc.edu> wrote:
>
> My new wireless network tested great, but now that I have rolled it out 
> to the entire building, I get error messages like:
> 
> Mon May  2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed 
> out while waiting for server to respond. Please increase the timeout.
> 
> And when these trigger, nearly everyone gets disconnected for about 5 
> seconds.  Possible relevant code from ldap module:
> 
> ldap {
>   #private stuff <-- BUT CRUCIAL!
>         ldap_connections_number = 15
>         timeout = 10
>         timelimit = 10
>         net_timeout = 5
> }
> 
> The only existing firewalls are on the machines themselves and the ip 
> range of the servers are open with each other.  Any ideas?
> 
I am guessing your LDAP server is *way* too slow when processing the 
queries are making it munch through.  Typical 'first-timer' mistakes are 
that you are not indexing the important attribtues.  For example our 
filter looks like:

filter = "(&(objectClass=Person)(|(businessCategory=staff)(businessCategory=student)(cn=avg*))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))"

This takes ~0.02s to respond for us, how long does it take to process 
the query at your end (test with the following and remember to test 
the server when it is under load, which is probably why it worked 
before you widely deployed it):
----
time ldapsearch -h ldap-server.example.com -x -LLL '<query>'
----

Where <query> is what you see FreeRADIUS make in the output of 'radiusd 
-X'.

Cheers

-- 
Alexander Clouter
.sigmonster says: "Out of register space (ugh)"
                  		-- vi




More information about the Freeradius-Users mailing list