rlm_ldap error "All ldap connections are in use"

Tue Feb 8 20:37:31 CET 2011

Are you thinking rlm_ldap opens a new connection for each query and isn't "properly" closing the "old" ones?

I would *think* that connections between rlm_ldap and the ldap server are reused / reentrant / whatever, such that a new connection is not needed for every query?  I hope it doesn't open a new connection each time, but if so, perhaps you need to set a connection timeout really low and the max connections really high?

Perhaps use netstat or some connection logging to see what's up?

G

-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Maresca, Steven
Sent: Tuesday, February 08, 2011 1:15 PM
To: FreeRadius users mailing list
Subject: RE: rlm_ldap error "All ldap connections are in use"

I am the LDAP admin :).
The lookup being performed is simply existence of the uid, and no more. Queries to the LDAP server are essentially instantaneous and indexing is on uid. 

That's why this is particularly curious - the LDAP server is operating perfectly by every metric, but freeradius rlm_ldap is running out of connections in its pool.

-s
________________________________________
From: freeradius-users-bounces+steven.maresca=uconn.edu at lists.freeradius.org [freeradius-users-bounces+steven.maresca=uconn.edu at lists.freeradius.org] On Behalf Of Alexander Clouter [alex at digriz.org.uk]
Sent: Tuesday, February 08, 2011 2:05 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: rlm_ldap error "All ldap connections are in use"

Maresca, Steven <steven.maresca at uconn.edu> wrote:
>
> I'm experiencing rlm_ldap errors "All ldap connections are in use"
> fairly regularly, even after adjusting 'ldap_connections_number' in
> radiusd.conf to a fairly high value.
>
> Aside from failed authentications corresponding with these errors,
> everything is behaving properly. The LDAP server itself is responding
> correctly when queried, and it is running on localhost.
>
> Any suggestions for alleviating congestion or otherwise preventing
> this problem?
>
Although it might be local and 'working', the queries you make against
the LDAP server could be taking 5 seconds a piece (which sounds like the
effect of the problem you are experiencing).

Check that you are not making needlessly expensive lookups on your LDAP
server, such as:
----
(&(uid=bob)(accountstate=enabled))
----

When instead you should use:
----
(&(objectclass=user)(uid=bob)(accountstate=enabled))
----

As well as checking that your queries are sane, also check that your
LDAP database is properly indexed.

Speak to your local LDAP admin for advice.

Cheers

--
Alexander Clouter
.sigmonster says: That that is is that that is not is not.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>