Problem with multiple LDAP servers
a.cudbardb at freeradius.org
Thu May 5 02:08:14 CEST 2016
> On 4 May 2016, at 15:50, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> Of course, now I'm using multiple ldap configs I've now hit the too many files open issue.
You hit a file descriptor limit? How many connections are you opening? How many servers are you talking to?
Unfortunately from a long term architecture point of view, having one connection per working thread is desirable, so there's not much we can do to fix that.
> Which causes all sorts of interesting failure modes. Obvious when sql connection can't work - the cause is printed out. ... but it was failing in reading the root cert used for ldap instance 5 and claimed it couldn't read the file, x509 issue.
Heh. Yeah that's far outside of our control, deep inside whatever libldap happens to be using for TLS.
> Given that using ulimit fixed this. ...... i guess if the failure is when spawning some Ssl stuff you can't do anything about it?
It failed when instantiating the module, right? Not when opening a connection?
That'll be when it creates the new SSL_CTX.
> I've updated /etc/security/limits.conf - giving radius user more soft/hard files... but that didn't work .. even though the server is using radius/radius the limits seem to require root limits to be modified . Looking at adjusting the systemd script right now but it'll catch out any local admins trying to do eg radiusd -X ;)
If you do sudo radiusd -X it'll change to the correct user IIRC.
Only when you run it with usual user privs, will it stick to that user.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Freeradius-Users