[Date Prev][Date Next] [Chronological] [Thread] [Top]
(ITS#4420) Hanging CLOSE_WAIT connections in ldap-backend

To: openldap-its@OpenLDAP.org
Subject: (ITS#4420) Hanging CLOSE_WAIT connections in ldap-backend
From: fred2261@hotmail.com
Date: Wed, 1 Mar 2006 08:37:04 GMT
Full_Name: Fred Schmalborn
Version: 2.3.19
OS: AIX 5.2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (192.109.190.88)


I'm using the ldap backend to proxy some DN's to a corporate LDAP Server.
The requests to the corporate LDAP are both anonymous and USER binds. That is
working fine for the first 30 minutes.

Vor the anonymous BIND there are open two permanent connections to the corporate
LDAP.

The corporate LDAP is closing this connections after 30 minutes and they are
remaining in CLOSE_WAIT state for a long time (forever?).

After that, I often doesn't get more informations from corporate LDAP. In the
TCP trace I see that the OpenLDAP server doesn't communicate with the corporate
LDAP. I have to restart the slapd and it is working fine for the next 30
minutes.

I have tried to set the idle-timeout to 30, but this parameter effects only the
user BIND and not the anonymous.

Is it possible to set a timeout for the anonymous connections?

Are this hanging CLOSE_WAIT connections a bug and how can I avoid them?

At the time it doesn't work (CLOSE_WAIT connections), I see in the syslog:

Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=5 fd=8 ACCEPT from
IP=127.0.0.1:36877 (IP=0.0.0.0:389)
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=6 fd=9 ACCEPT from
IP=127.0.0.1:36878 (IP=0.0.0.0:389)
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=6 op=0 BIND dn="" method=128
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=5 op=0 BIND dn="" method=128
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=6 op=0 RESULT tag=97 err=0 text=
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=5 op=0 RESULT tag=97 err=0 text=
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=6 op=1 SRCH
base="ou=People,dc=corp,dc=com" scope=2
 deref=3 filter="(&(objectClass=*)(uid=myuser))"
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=5 op=1 SRCH
base="ou=People,dc=corp,dc=com" scope=2
 deref=3 filter="(&(objectClass=*)(uid=myuser))"
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=6 op=1 SRCH attr=uid
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=5 op=1 SRCH attr=uid
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=6 op=1 SEARCH RESULT tag=101 err=52
nentries=0 text=
Mar  1 09:25:23 ipnetmg5 slapd[290912]: conn=5 op=1 SEARCH RESULT tag=101 err=52
nentries=0 text=
Mar  1 09:25:26 ipnetmg5 slapd[290912]: conn=6 op=2 SRCH
base="ou=People,dc=corp,dc=com" scope=2
 deref=3 filter="(&(objectClass=*)(uid=myuser))"
Mar  1 09:25:26 ipnetmg5 slapd[290912]: conn=6 op=2 SRCH attr=uid
Mar  1 09:25:26 ipnetmg5 slapd[290912]: conn=6 op=2 SEARCH RESULT tag=101 err=52
nentries=0 text=
Mar  1 09:25:26 ipnetmg5 slapd[290912]: conn=5 op=2 SRCH
base="ou=People,dc=corp,dc=com" scope=2
 deref=3 filter="(&(objectClass=*)(uid=myuser))"
Mar  1 09:25:26 ipnetmg5 slapd[290912]: conn=5 op=2 SRCH attr=uid
Mar  1 09:25:26 ipnetmg5 slapd[290912]: conn=5 op=2 SEARCH RESULT tag=101 err=52
nentries=0 text=
Mar  1 09:25:28 ipnetmg5 slapd[290912]: conn=5 op=3 SRCH
base="ou=People,dc=corp,dc=com" scope=2
 deref=3 filter="(&(objectClass=*)(uid=myuser))"
Mar  1 09:25:28 ipnetmg5 slapd[290912]: conn=6 op=3 SRCH
base="ou=People,dc=corp,dc=com" scope=2
 deref=3 filter="(&(objectClass=*)(uid=myuser))"
Mar  1 09:25:28 ipnetmg5 slapd[290912]: conn=5 op=3 SRCH attr=uid
Mar  1 09:25:28 ipnetmg5 slapd[290912]: conn=6 op=3 SRCH attr=uid
Mar  1 09:25:28 ipnetmg5 slapd[290912]: conn=5 op=3 SEARCH RESULT tag=101 err=52
nentries=0 text=
Mar  1 09:25:28 ipnetmg5 slapd[290912]: conn=6 op=3 SEARCH RESULT tag=101 err=52
nentries=0 text=
Mar  1 09:26:06 ipnetmg5 slapd[290912]: conn=5 fd=8 closed (idletimeout)
Mar  1 09:26:06 ipnetmg5 slapd[290912]: conn=6 fd=9 closed (idletimeout)


With lsof on the OpenLDAP Server I see:

slapd     290912     root  cwd   VDIR               10,6                512  
92226 /usr (/dev/hd2)
slapd     290912     root    0u  VCHR                2,2                0t0   
4161 /dev/null
slapd     290912     root    1u  VCHR                2,2                0t0   
4161 /dev/null
slapd     290912     root    2u  VCHR                2,2                0t0   
4161 /dev/null
slapd     290912     root    3u  unix 0xf10000f3048d5400                0t0     
   ->0xf10000f305e87000
slapd     290912     root    4r  FIFO 0xf10000e32237ae50                  0
slapd     290912     root    5w  FIFO 0xf10000e32237ae50                  0
slapd     290912     root    6u  IPv4 0xf10000f3012efb58                0t0    
TCP *:389 (LISTEN)
slapd     290912     root    7uw VREG               10,7               4096   
8202 /var (/dev/hd9var)
slapd     290912     root   10u  IPv4 0xf10000f305df0b58              0t896    
TCP ipnetmg5c1.muc:32803->corpldap.com:3892 (CLOSE_WAIT)
slapd     290912     root   11u  IPv4 0xf10000f306b82b58               0t76    
TCP ipnetmg5c1.muc:65424->corpldap.com:3892 (CLOSE_WAIT)
slapd     290912     root   12uW VREG               10,7             122901   
8213 /var (/dev/hd9var)
slapd     290912     root   13uW VREG               10,7             493748   
8223 /var (/dev/hd9var)
slapd     290912     root   14u  IPv4 0xf10000f30d5ee358               0t76    
TCP ipnetmg5c1.muc:32804->corpldap.com:3892 (CLOSE_WAIT)

With Best Regards
Fred
Prev by Date: Re: (ITS#4411) ldapsearch hangs with proxyCache
Next by Date: Re: (ITS#3314) ldappasswd -e option not documented
Index(es):
- Chronological
- Thread