Problem with multiple LDAP servers

Arran Cudbard-Bell a.cudbardb at
Thu May 5 02:08:14 CEST 2016

> On 4 May 2016, at 15:50, Alan Buxey <A.L.M.Buxey at> wrote:
> Ah!
> Of course, now I'm using multiple ldap configs I've now hit the too many files open issue.

You hit a file descriptor limit? How many connections are you opening? How many servers are you talking to?

Unfortunately from a long term architecture point of view, having one connection per working thread is desirable, so there's not much we can do to fix that.

> Which causes all sorts of interesting failure modes. Obvious when sql connection can't work - the cause is printed out. ... but it was failing in reading the root cert used for ldap instance 5 and claimed it couldn't read the file, x509 issue.

Heh.  Yeah that's far outside of our control, deep inside whatever libldap happens to be using for TLS.

>  Given that using ulimit fixed this. ...... i guess if the failure is when spawning some Ssl stuff you can't do anything about it?

It failed when instantiating the module, right? Not when opening a connection?

That'll be when it creates the new SSL_CTX.

> I've updated /etc/security/limits.conf - giving radius user more soft/hard files... but that didn't work .. even though the server is using radius/radius the limits seem to require root limits to be modified . Looking at adjusting the systemd script right now but it'll catch out any local admins trying to do eg radiusd -X ;)

If you do sudo radiusd -X it'll change to the correct user IIRC.

Only when you run it with usual user privs, will it stick to that user.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list