Re: All Sockets being used!
You are right, thats valid for authentication. But in my case, I do authentication with LDAP and I'm only using SQL for accounting. Even with that, the server starts rejecting users once it runs out of SQL sockets. Regards Guillermo Alan DeKok wrote: Guillermo Schimmel [EMAIL PROTECTED] wrote: What we would like (this one is for the developers), is that the server don't start rejecting the users. So... what do you propose the server does? For authentication, if the SQL database is down, the server can do NOTHING but reject the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
Guillermo Schimmel [EMAIL PROTECTED] wrote: But in my case, I do authentication with LDAP and I'm only using SQL for accounting. Even with that, the server starts rejecting users once it runs out of SQL sockets. Hmm... if you don't have SQL listed in the 'authorize' block, then authentication should still be working when accounting stops. Are you *sure* that the server is sending Access-Reject packets? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
Alan, I also use ldap for autz/auth and sql/detail for accounting and have also seen this problem. I just didn't have enough information to really troubleshoot it further. What I really need to do is get the latest CVS running in the lab and start trying to break it by kicking the database/ldap from under it. I really need to learn C!!! schu Alan DeKok wrote: Guillermo Schimmel [EMAIL PROTECTED] wrote: But in my case, I do authentication with LDAP and I'm only using SQL for accounting. Even with that, the server starts rejecting users once it runs out of SQL sockets. Hmm... if you don't have SQL listed in the 'authorize' block, then authentication should still be working when accounting stops. Are you *sure* that the server is sending Access-Reject packets? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
I am absolutely sure that I have SQL only in the accounting block. The same with the Access-Rejects packets, I see them with ethereal running on the same machine. It happens with fr 0.8 standard, and the last CVS. Thanks a lot for your time. Guillermo Alan DeKok wrote: Guillermo Schimmel [EMAIL PROTECTED] wrote: But in my case, I do authentication with LDAP and I'm only using SQL for accounting. Even with that, the server starts rejecting users once it runs out of SQL sockets. Hmm... if you don't have SQL listed in the 'authorize' block, then authentication should still be working when accounting stops. Are you *sure* that the server is sending Access-Reject packets? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
On Fri, May 30, 2003 at 08:37:08AM -0800, Matthew Schumacher wrote: Alan, I also use ldap for autz/auth and sql/detail for accounting and have also seen this problem. I just didn't have enough information to really troubleshoot it further. Which version do you running? Which db engine do you use? I'm in process of configuring FR snapshot of 2003-04-24 (keeping it up-to-date, so let's say it's a current snapshot), so able to experiment as extremely as I can. I use files+LDAP (OpenLDAP 2.0.25) in autz, LDAP in auth, 2 sqlcounters in post-auth (blame me, developers!), and detail+sql (PostgreSQL 7.3.2, on the same machine) in acct and sql in session. I also have check items like Attribute := `%{sql:...}` for some users. Let's dig a little: 1. radius running OK, handling access- acct- requests right. 2. I kill -9 main postgres process, so no new conns can be done, then I also kill -9 one of five postgres processes serving radiusd. Most of Access-Requests are still handled fine. For others one of the following occurs: a) sqlcounters treat database error as if accumulated resource (daily/monthly session time) was unconsumed; b) group session returns fail, so radius has nothing to do but consider user isn't online; c) `%{sql:...}` expands to empty string. Accept or Reject only depends on valid user credentials. As for accounting, unhandled requests successfully failed over to detail. 3. I kill the rest postgres processes. Now all of Access-Requests are processed the way described in (2). 4. Once I restart postgres, those go away immediately, radius continues normal operation. So I can't see any BIG problem in my case. What I really need to do is get the latest CVS running in the lab and start trying to break it by kicking the database/ldap from under it. Let's see if it helps... -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
Alex, Which version do you running? Which db engine do you use? OpenLDAP 2.1.17 Postgres 7.3.2 freeradius-20030430 w/patches from the list. I'm in process of configuring FR snapshot of 2003-04-24 (keeping it up-to-date, so let's say it's a current snapshot), so able to experiment as extremely as I can. I use files+LDAP (OpenLDAP 2.0.25) in autz, LDAP in auth, 2 sqlcounters in post-auth (blame me, developers!), and detail+sql (PostgreSQL 7.3.2, on the same machine) in acct and sql in session. I also have check items like Attribute := `%{sql:...}` for some users. I don't read any attributes out of SQL. The sql server doesn't really even do full accounting, it just logs the in/outbytes, nas, address, timestamp and such. I use this data for calculating quotas. All of attributes come from openldap. Let's dig a little: 1. radius running OK, handling access- acct- requests right. 2. I kill -9 main postgres process, so no new conns can be done, then I also kill -9 one of five postgres processes serving radiusd. Most of Access-Requests are still handled fine. For others one of the following occurs: a) sqlcounters treat database error as if accumulated resource (daily/monthly session time) was unconsumed; b) group session returns fail, so radius has nothing to do but consider user isn't online; c) `%{sql:...}` expands to empty string. Accept or Reject only depends on valid user credentials. As for accounting, unhandled requests successfully failed over to detail. 3. I kill the rest postgres processes. Now all of Access-Requests are processed the way described in (2). 4. Once I restart postgres, those go away immediately, radius continues normal operation. So I can't see any BIG problem in my case. I need to do more testing, I've had radius just die in production which is not good. I never had a lick of trouble with it until I started doing sql accounting. It had been running against ldap for a year before made the switch. For now I have to many other things going on to really start working on the testing, hopefully I'll be able to test next week as I am going to try and toss the latest CVS into prod on Thursday. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
On Fri, May 30, 2003 at 10:18:52PM +0400, Alexander M. Pravking wrote: Let's dig a little: Continuing tests... I limited num_sql_socks to 1, created a test user profile which initiates nearly infinite sql query during authorization, and tried to log in by this user. Of cource, it hung up :) Radius could not get an sql socket for other requests and reported 'There are no DB handles to use!' warnings, but, again, authorized / authenticated other users successfully. Hmm... rlm_sql/sql.c seems to been patched seriously last 2 months - see http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/sql.c#rev1.62 and higher. And can anyone send -xxx output showing unexpected access-rejects when all sockets are used? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
All Sockets being used!
Several people have reported this error and one received two responses. Both responses said to increase the number of sockets. I tried that over 4 months ago, and we still get this error. Also, once we start getting the error on one radius server, the NAS's switch to using the other radius server and then it will start failing the same way. They never seem to recover until the radius server is killed and restarted. I also cannot seem to set the number of sql threads high enough to prevent it. Any idea what is really happening? We are running radiusd (don't remember how to determine the version) on FreeBSD 4.7 and 5.0. Also, we are using mysql on a third machine. I suspected the mysql for a while, but we cannot find anything wrong with it. Any ideas? -- Michael P. Brininstool [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
Michael Brininstool [EMAIL PROTECTED] wrote: Several people have reported this error and one received two responses. Both responses said to increase the number of sockets. I tried that over 4 months ago, and we still get this error. Also, once we start getting the error on one radius server, the NAS's switch to using the other radius server and then it will start failing the same way. They never seem to recover until the radius server is killed and restarted. I also cannot seem to set the number of sql threads high enough to prevent it. Any idea what is really happening? First, check that your SQL server is responding within a reasonable time. See 'doc/rlm_sql'. Otherwise, upgrade to the CVS head. It has fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
We generally get the same effect when our SQL server gets slow for some reason. Ussually we discover that it has too much load from some queries. It can be a network overload/error issue, check your connectivity. Of course, have your database optimized (indexes, vacuums, etc) What we would like (this one is for the developers), is that the server don't start rejecting the users. In the case of that events happening, we can recover the logs later from detail files. Regards Guillermo Michael Brininstool wrote: Several people have reported this error and one received two responses. Both responses said to increase the number of sockets. I tried that over 4 months ago, and we still get this error. Also, once we start getting the error on one radius server, the NAS's switch to using the other radius server and then it will start failing the same way. They never seem to recover until the radius server is killed and restarted. I also cannot seem to set the number of sql threads high enough to prevent it. Any idea what is really happening? We are running radiusd (don't remember how to determine the version) on FreeBSD 4.7 and 5.0. Also, we are using mysql on a third machine. I suspected the mysql for a while, but we cannot find anything wrong with it. Any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
Guillermo Schimmel [EMAIL PROTECTED] wrote: What we would like (this one is for the developers), is that the server don't start rejecting the users. So... what do you propose the server does? For authentication, if the SQL database is down, the server can do NOTHING but reject the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html