Return
-
Title
QAS not closing LDAP sessions after querying information from AD -
Description
Our AD Engineer found domain controllers with many open LDAP sessions that weren't closing as expected and so the session limit was reached on the system. -
Cause
LDAP sessions opened by QAS are not being closed down soon enough after no longer being needed resulting in too many open connections on the domain controller.
-
Resolution
By default QAS will close LDAP sessions after 120 seconds. If your environment is very busy than this may result in too many sessions remaining open after they are needed. To fix this issue you can reduce this timeout period with the id-session-age option in vas.conf.
Because these sessions are encrypted using SASL there is a performance cost when reopening them, so you will want to be careful not to set that option too low as it may also cause problems on your domain controllers.
-
Additional Information
Description from vas.conf man page of the id-close-age setting: ld-close-age =Default value: 120 An ld represents an open connection to an LDAP server. By default vasd will close an ld that is inactive for 120 seconds. On very busy systems this default may be too high resulting in too many open file descriptors. The following example shows how to decrease this value to 45 seconds. [vasd] ld-close-age = 45