Limit to the number of Users that can be added in System / User Manager / Users?
-
Hi All,
Is anybody aware of a limit to the number of users that can be added in the User Manager?
The reason I ask is because with two identical systems (both running 2.3.3-RELEASE-p1 (amd64)) with one running as Master and one as Backup we have an issue with the XMLRPC HA Sync locking up the Backup system. The issue we're having is described in more detail in one of my other posts (https://forum.pfsense.org/index.php?topic=126897.0).
Having freshly installed both systems (wiping the config in the process) and configured some VLANS (One of which I'm using for the HA Sync, rather than using the LAN interface, which is advised against) the only thing I've configured is a bunch of users on the Master and it seems to sync fine for the first fifteen or so users.
Then the sync starts to take longer and longer until eventually it will only allow one user to be added on the Master which sync over to the backup then any more changes on the Master fail to sync to the backup until I restart PHP-FPM on the backup at which point it will again only allow me to make one more change on the Master before locking up PHP-FPM on the backup again.
-
There isn't any limit that is set intentionally. I haven't seen this particular behavior happen before, but I don't think I've had more than about 10 users on a box in my lab.
The XMLRPC components have been rewritten on 2.4. Do you have a test setup you could upgrade to 2.4 and try it out there to see if it still happens?
Can you share some more detail about the users and groups you have? Any unusual user or group names?
-
Hi Jimp,
Many thanks for the reply.
In terms of the setup, we have 46 users in total (including the admin user) and as I wanted to test starting with adding the users first (as that seems to be the thing that is breaking the XMLRPC sync in our case) I haven't yet added the IPSec config and so there are no groups other than the built in admin group (of which only the admin user is a member).
I don't think there are any unusual user names, certainly nothing with anything other than letters in the username.
Testing 2.4 is a great shout as I'm keen to see whether this will indeed fix the issue with the changes that have been made to XMLRPC in that version.
Will get the boxes installed with 2.4 today, put some of the config in and then report back.Thanks again for the response,
Jan -
ok - so I've re-installed both of my testing boxes with the latest build of 2.4.0.
Unfortunately, it's still the same.
I can add around 9 / 10 users, before the sync starts taking longer and longer and eventually the sync stops entirely until a restart of PHP-FPM on the backup which I then have to do every time I add a user on the master.
The interesting thing is that the errors are much longer on 2.4.0 than on 2.3.3, I won't post them here as they're so long, and also the master keep trying to do the sync until eventually it gives up and throws a version mismatch error (/rc.filter_synchronize: The other member is on a different configuration version of pfSense. Sync will not be done to prevent problems!).
I've even tried setting up the users as username 1, 2, 3, etc all with password 1234 and the Full name blank in case there is an issue with character length for the sync.
-
There must be some other contributing factor. I just added 20 users and though the user sync did take its time, the secondary was always responsive, I could always reach the GUI, and I did not encounter any failures.
-
Hi,
I managed to resolve the issue for our case in the end.
The two servers we're using as our pfSense boxes are Dell PowerEdge R210II servers, each came loaded with 2 on board Gigabit Ethernet ports (one being used as the WAN interface and the other for the LAN interface).
In the first instance I had setup the pfSync to use the LAN interface, which I'm led to believe is a big no no, so I then set up a separate VLAN for the pfSync to use, but as this was still using the physical adaptor shared by the LAN interface, it made no difference.
In the end I bought and fitted an additional PCIe Gigabit Ethernet card in each of the servers, set up a VLAN to use the new physical adaptor (not being used by anything else) and set the pfSync to use the new VLAN and since then I have seen no issues with the sync slowing down or the Backup box becoming unresponsive whilst adding users.
I have now put the new pair into production and we've seen no problems.
Thanks everyone for their help and suggestions.
Hopefully this will help somebody else encountering similar issues.
Cheers,
Jan
