Failure to reconnect to ldaps server after idle_timeout

Phil Mayers p.mayers at
Wed Mar 11 12:40:06 CET 2015

On 10/03/15 21:08, Arran Cudbard-Bell wrote:
>> On 10 Mar 2015, at 17:01, Stefan Paetow <Stefan.Paetow at> wrote:
>>> seen this in 3.0.x (before 3.0.7) where the LDAP timers are set to aggressively. don't expire
>>> the connections and have lifetime = 0 - then the sockets are nicely kept open and will be reconnected
>>> if theres connectivity issue
>> Alan D, Arran, can we document this in the Wiki? I'll happily put a Wiki entry for that together if you're ok with this?
> Sure.
> Something along the lines of "NSS is garbage, don't use NSS"?

NSS is a generally well-written library, and thought by some to be 
superior to OpenSSL. I have mixed feelings - there are some design 
decisions I'm not wild on - but I think it's unfair to describe it as 
"garbage" ;o)

It's definitely tedious this problem exists - I assume because RedHat 
have linked libldap with the NSS/OpenSSL compat shim? - but that's 
hardly the fault of NSS.

More information about the Freeradius-Users mailing list