The issue here (IIUC) is that SSSD keeps the LDAP connection when operation is finished and then the connection is reused on the next occasion. If there is a long gap in communication, the firewall may drop the information about a particular connection from the NAT table.
Here shortening of `ldap_connection_expire_timeout` (default 15 minutes!) might help. Be careful, shortening this timeout too much may increase load on the LDAP server. Ideally ask the firewall guy for how long the NAT information is kept on FW and set `ldap_connection_expire_timeout` to a little bit shorter value. HTH Tom On Mon, Sep 2, 2024 at 5:11 AM Spike White <spikewhit...@gmail.com> wrote: > I'm a bit confused as to your exact problem. > > By default, LDAP queries time out after 6 seconds. (ldap_query_timeout). > Is your problem that LDAP queries are taking too wrong to run? More than 6 > seconds? And because of that, they're timing out? > > Or are you saying after a period of perceived inactivity, your NAT setup > on your network switch gets dropped, so you need some sort of keep-alive in > order to keep this NAT mapping alive at all times? > > Spike > > > On Sun, Sep 1, 2024 at 8:28 PM Jaehwan Kim <espo...@samsung.com> wrote: > >> Hello. >> >> We've got a number (thousands) of hosts inside a private network of cloud >> environment. >> These all query the FreeIPA server for user and group information using >> NAT and a gateway server. >> However we're having issues with the LDAP queries timing out or becoming >> unresponsive due to NAT timeout. >> In order to prevent hosts (clients) from being disconnected due to NAT >> timeout, we wish to try some sssd timeout values. >> Because we have difficulty to find out proper timeout of sssd.conf.5 >> manual pages (website), can you advice us on the proper timeout or propose >> other way? >> >> Thank you. >> JHK >> -- >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Tomáš Halman
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
