Freeradius-Users Digest, Vol 73, Issue 8

Daniel Davidson danield at igb.uiuc.edu
Wed May 11 18:02:57 CEST 2011 

I finally got this figured out.  It did not have anything do do with 
freeradius, but since others using the program might run into it, I 
figured I should post it here.

The arp cache of the server was limited by default to 128 addresses, 
which was running out pretty quickly.  So I inserted and applied the 
values below in sysctl.conf and everything works great now.

net.ipv4.neigh.default.gc_thresh3 = 4096
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh1 = 1024

Dan

On 05/04/2011 01:51 AM, freeradius-users-request at lists.freeradius.org 
wrote:
> Message: 3
> Date: Tue, 3 May 2011 20:56:12 +0100
> From: Alexander Clouter<alex at digriz.org.uk>
> Subject: Re: ldap server connection timeout
> To:freeradius-users at lists.freeradius.org
> Message-ID:<s73698-k73.ln1 at chipmunk.wormnet.eu>
>
> Daniel Davidson<danield at igb.uiuc.edu>  wrote:
>> >
>> >  My new wireless network tested great, but now that I have rolled it out
>> >  to the entire building, I get error messages like:
>> >  
>> >  Mon May  2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed
>> >  out while waiting for server to respond. Please increase the timeout.
>> >  
>> >  And when these trigger, nearly everyone gets disconnected for about 5
>> >  seconds.  Possible relevant code from ldap module:
>> >  
>> >  ldap {
>> >     #private stuff<-- BUT CRUCIAL!
>> >           ldap_connections_number = 15
>> >           timeout = 10
>> >           timelimit = 10
>> >           net_timeout = 5
>> >  }
>> >  
>> >  The only existing firewalls are on the machines themselves and the ip
>> >  range of the servers are open with each other.  Any ideas?
>> >  
> I am guessing your LDAP server is*way*  too slow when processing the
> queries are making it munch through.  Typical 'first-timer' mistakes are
> that you are not indexing the important attribtues.  For example our
> filter looks like:
>
> filter = "(&(objectClass=Person)(|(businessCategory=staff)(businessCategory=student)(cn=avg*))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))"
>
> This takes ~0.02s to respond for us, how long does it take to process
> the query at your end (test with the following and remember to test
> the server when it is under load, which is probably why it worked
> before you widely deployed it):
> ----
> time ldapsearch -h ldap-server.example.com -x -LLL '<query>'
> ----
>
> Where<query>  is what you see FreeRADIUS make in the output of 'radiusd
> -X'.
>
> Cheers
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110511/78284bcd/attachment.html>

More information about the Freeradius-Users mailing list