Failure to reconnect to ldaps server after idle_timeout

Arran Cudbard-Bell a.cudbardb at
Wed Mar 11 17:27:29 CET 2015

> On 11 Mar 2015, at 11:33, Alan DeKok <aland at> wrote:
> On Mar 11, 2015, at 11:30 AM, Graham Leggett <minfrin at> wrote:
>> I don’t follow - how does libldap work with software like httpd, but not work with freeradius?
>  Many of the other users open connections and keep them open, or open connections in a child process.  Not many use multiple threads and open/close connections.

It's because mod_ldap uses a global SSL configuration context.

We use per connection configuration contexts, as that's the only way to ensure the module
instance specific TLS parameters are honoured.

If you attempted to use multiple TLS certificates with mod_ldap you would likely find that
it did not work at intended.

If you tried the same configuration with FreeRADIUS, it would work as intended.

The mod_ldap code is available here:

The github issue describes the root cause in greater detail:

This seems like an NSS defect TBH. It should do reference counting for its modules, to
ensure they're not referenced by multiple contexts, so that they're not unintentionally
unloaded when contexts are freed.

TL;DR mod_ldap is broken in other ways which happens to mask this issue.

Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list