On 4 May 2016, at 15:50, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Ah!
Of course, now I'm using multiple ldap configs I've now hit the too many files open issue.
You hit a file descriptor limit? How many connections are you opening? How many servers are you talking to? Unfortunately from a long term architecture point of view, having one connection per working thread is desirable, so there's not much we can do to fix that.
Which causes all sorts of interesting failure modes. Obvious when sql connection can't work - the cause is printed out. ... but it was failing in reading the root cert used for ldap instance 5 and claimed it couldn't read the file, x509 issue.
Heh. Yeah that's far outside of our control, deep inside whatever libldap happens to be using for TLS.
Given that using ulimit fixed this. ...... i guess if the failure is when spawning some Ssl stuff you can't do anything about it?
It failed when instantiating the module, right? Not when opening a connection? That'll be when it creates the new SSL_CTX.
I've updated /etc/security/limits.conf - giving radius user more soft/hard files... but that didn't work .. even though the server is using radius/radius the limits seem to require root limits to be modified . Looking at adjusting the systemd script right now but it'll catch out any local admins trying to do eg radiusd -X ;)
If you do sudo radiusd -X it'll change to the correct user IIRC. Only when you run it with usual user privs, will it stick to that user. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2