LDAP Server Connections Closing Immediately
Jonathan Gryak
jgryak at westport.k12.ct.us
Thu Apr 14 23:43:41 CEST 2016
Thanks for the tip Mearl.
On Wed, Apr 13, 2016 at 3:50 PM, Danner, Mearl <jmdanner at samford.edu> wrote:
> Jonathon,
>
> > -----Original Message-----
> > From: Freeradius-Users [mailto:freeradius-users-
> > bounces+jmdanner=samford.edu at lists.freeradius.org] On Behalf Of
> > Jonathan Gryak
> > Sent: Wednesday, April 13, 2016 2:44 PM
> > To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org
> >
> > Subject: Re: LDAP Server Connections Closing Immediately
> >
> > Alan,
> > Thank you very much for taking the time to explain this.
> >
> > Best,
> > Jonathan
> >
> > On Wed, Apr 13, 2016 at 3:33 PM, Alan DeKok <aland at deployingradius.com>
> > wrote:
> >
> > > On Apr 13, 2016, at 2:50 PM, Jonathan Gryak <jgryak at westport.k12.ct.us
> >
> > > wrote:
> > > > Sorry for not elaborating. I was primarily concerned with the debug
> > > > message: rlm_ldap (ldap): 0 of 0 connections in use. You may need
> to
> > > > increase "spare"
> > >
> > > OK...
> > >
> > > > I suppose that I would expect the slot count in the pool to decrease
> or
> > > > increase with each connection used, as when the server initially
> starts
> > > up
> > > > the number of available slots decreases from 32 to 28.
> > >
> > > As I explained. When the LDAP module gets a redirect from Active
> > > Directory, it connects to the other LDAP server. It does this by
>
> You can dispense with the redirects, if not serving multiple domains, by
> pointing LDAP to the global catalog ports of the domain controller.
> ldap 3268
> ldaps 3269
>
> You'll have to get with your AD admins to insure that the attributes you
> need are exposed to the Global Catalog.
>
> > > re-connecting the existing LDAP connection, instead of creating a new
> one.
> > >
> > > Since the existing connection is now pointing to a DIFFERENT ldap
> > > server, it's not connected to the MAIN ldap server.
> > >
> > > So the LDAP module closes the connection.
> > >
> > > > Regarding the "re-use LDAP connections", I thought the lifetime=0
> > setting
> > > > would mean that an existing slot would used, and that slot would be
> > > > indicated in the debug output for each LDAP connection.
> > >
> > > The meaning and function of "lifetime=0" is documented in the config
> > > files. Read them to see how it works.
> > >
> > > > I though perhaps
> > > > that the "1 of 32 pending slots used" message indicated that a new
> > thread
> > > > was being created each time, rather than reusing one from the pool.
> > >
> > > If you read the debug output, you would see what I explained. It
> grabs
> > > a connection from the pool. The connection is used to talk to AD. AD
> > > returns a redirect to another LDAP server.
> > >
> > > Since the existing connection is now pointing to a DIFFERENT ldap
> > > server, it's not connected to the MAIN ldap server.
> > >
> > > So the LDAP module closes the connection.
> > >
> > > Alan DeKok.
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
> >
> >
> > --
> > Jonathan Gryak
> > Infrastructure Manager
> >
> > Westport Public Schools
> > Technology Center
> > 136 Riverside Avenue
> > Westport, CT 06880
> > (203) 341-1211
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Jonathan Gryak
Infrastructure Manager
Westport Public Schools
Technology Center
136 Riverside Avenue
Westport, CT 06880
(203) 341-1211
More information about the Freeradius-Users
mailing list