Failure to reconnect to ldaps server after idle_timeout

Graham Leggett minfrin at sharp.fm
Tue Mar 10 18:36:53 CET 2015 

Hi all,

I have a freeradius v3.0.7 server running in a test setup that uses the rlm_ldap module to verify users and groups against an LDAPS server (ie LDAP with SSL enabled).

With radius -X the server starts up, successfully connects to the LDAPS server, and successfully returns the correct results to requests.

After some time has passed, requests start failing as follows:

rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 601 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 601 seconds
rlm_ldap (ldap): You probably need to lower "min"
TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use..
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:636
TLS: could not find the slot for the certificate '/etc/raddb/certs/ldap-ca.pem' - error -8127:The security card or token does not exist, needs to be initialized, or has been removed..
TLS: /etc/raddb/certs/ldap-ca.pem is not a valid CA certificate file - error -8127:The security card or token does not exist, needs to be initialized, or has been removed..
TLS: could not perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -8127:The security card or token does not exist, needs to be initialized, or has been removed.
TLS: can't create ssl handle.
rlm_ldap (ldap): Bind with cn=Radius,o=Example,c=XX to ldap://ldap.example.com:636 failed: Can't contact LDAP server
TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use..
rlm_ldap (ldap): Opening connection failed (7)
(28)     [ldap] = fail

The server is then broken until restarted.

It appears that after a normal idle timeout occurs and the last LDAP connection is shut down, an attempt is made to shut down NSS, which fails as follows:

TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use..

With NSS in a broken state, all subsequent reconnection attempts break.

Is this a known issue in v3.0.7?

Regards,
Graham
—

More information about the Freeradius-Users mailing list