LDAP Server Connections Closing Immediately

Jonathan Gryak jgryak at westport.k12.ct.us
Thu Apr 14 23:43:41 CEST 2016


Thanks for the tip Mearl.

On Wed, Apr 13, 2016 at 3:50 PM, Danner, Mearl <jmdanner at samford.edu> wrote:

> Jonathon,
>
> > -----Original Message-----
> > From: Freeradius-Users [mailto:freeradius-users-
> > bounces+jmdanner=samford.edu at lists.freeradius.org] On Behalf Of
> > Jonathan Gryak
> > Sent: Wednesday, April 13, 2016 2:44 PM
> > To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org
> >
> > Subject: Re: LDAP Server Connections Closing Immediately
> >
> > Alan,
> > Thank you very much for taking the time to explain this.
> >
> > Best,
> > Jonathan
> >
> > On Wed, Apr 13, 2016 at 3:33 PM, Alan DeKok <aland at deployingradius.com>
> > wrote:
> >
> > > On Apr 13, 2016, at 2:50 PM, Jonathan Gryak <jgryak at westport.k12.ct.us
> >
> > > wrote:
> > > > Sorry for not elaborating. I was primarily concerned with the debug
> > > > message: rlm_ldap (ldap): 0 of 0 connections in use.  You  may need
> to
> > > > increase "spare"
> > >
> > >   OK...
> > >
> > > > I suppose that I would expect the slot count in the pool to decrease
> or
> > > > increase with each connection used, as when the server initially
> starts
> > > up
> > > > the number of available slots decreases from 32 to 28.
> > >
> > >   As I explained.  When the LDAP module gets a redirect from Active
> > > Directory, it connects to the other LDAP server.  It does this by
>
> You can dispense with the redirects, if not serving multiple domains, by
> pointing LDAP to the global catalog ports of the domain controller.
> ldap 3268
> ldaps 3269
>
> You'll have to get with your AD admins to insure that the attributes you
> need are exposed to the Global Catalog.
>
> > > re-connecting the existing LDAP connection, instead of creating a new
> one.
> > >
> > >   Since the existing connection is now pointing to a DIFFERENT ldap
> > > server, it's not connected to the MAIN ldap server.
> > >
> > >   So the LDAP module closes the connection.
> > >
> > > > Regarding the "re-use LDAP connections", I thought the lifetime=0
> > setting
> > > > would mean that an existing slot would used, and that slot would be
> > > > indicated in the debug output for each LDAP connection.
> > >
> > >   The meaning and function of "lifetime=0" is documented in the config
> > > files.  Read them to see how it works.
> > >
> > > > I though perhaps
> > > > that the "1 of 32 pending slots used" message indicated that a new
> > thread
> > > > was being created each time, rather than reusing one from the pool.
> > >
> > >   If you read the debug output, you would see what I explained.  It
> grabs
> > > a connection from the pool.  The connection is used to talk to AD.  AD
> > > returns a redirect to another LDAP server.
> > >
> > >   Since the existing connection is now pointing to a DIFFERENT ldap
> > > server, it's not connected to the MAIN ldap server.
> > >
> > >   So the LDAP module closes the connection.
> > >
> > >   Alan DeKok.
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
> >
> >
> > --
> > Jonathan Gryak
> > Infrastructure Manager
> >
> > Westport Public Schools
> > Technology Center
> > 136 Riverside Avenue
> > Westport, CT 06880
> > (203) 341-1211
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Jonathan Gryak
Infrastructure Manager

Westport Public Schools
Technology Center
136 Riverside Avenue
Westport, CT 06880
(203) 341-1211


More information about the Freeradius-Users mailing list