LDAP Server Connections Closing Immediately

[Alan DeKok]

On Apr 13, 2016, at 2:50 PM, Jonathan Gryak <jgryak at westport.k12.ct.us> wrote:
> Sorry for not elaborating. I was primarily concerned with the debug
> message: rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to
> increase "spare"

  OK...

> I suppose that I would expect the slot count in the pool to decrease or
> increase with each connection used, as when the server initially starts up
> the number of available slots decreases from 32 to 28.

  As I explained.  When the LDAP module gets a redirect from Active Directory, it connects to the other LDAP server.  It does this by re-connecting the existing LDAP connection, instead of creating a new one.

  Since the existing connection is now pointing to a DIFFERENT ldap server, it's not connected to the MAIN ldap server.

  So the LDAP module closes the connection.

> Regarding the "re-use LDAP connections", I thought the lifetime=0 setting
> would mean that an existing slot would used, and that slot would be
> indicated in the debug output for each LDAP connection.

  The meaning and function of "lifetime=0" is documented in the config files.  Read them to see how it works.

> I though perhaps
> that the "1 of 32 pending slots used" message indicated that a new thread
> was being created each time, rather than reusing one from the pool.

  If you read the debug output, you would see what I explained.  It grabs a connection from the pool.  The connection is used to talk to AD.  AD returns a redirect to another LDAP server.

  Since the existing connection is now pointing to a DIFFERENT ldap server, it's not connected to the MAIN ldap server.

  So the LDAP module closes the connection.

  Alan DeKok.