[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5396) Too much open connections

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5396) Too much open connections
From: ando@sys-net.it
Date: Sat, 8 Mar 2008 14:55:32 GMT

ecip@gmv.es wrote:

> Hi all, using openldap 2.4.8 as a metadirectory server in front of a couple of
> Active Directory Servers and a local database we have found an issue with the
> number of ESTABLISHED connections.
> 
> This is a part of the slapd configuration file:
> 
> backend         meta
> database        meta
> 
> ## Sufijo del arbol mostrado por el metadirectorio y usuario
> ## administrador del mismo(superusuario de ldap).
> suffix          "dc=gmv,dc=es"
> rootdn          "cn=diradmin,dc=gmv,dc=es"
> ## Password del superusuario, pasar a texto cifrado con slappasswd.
> rootpw          secret
> 
> ##############################################
> ### Opciones comunes a todo el metadirectorio.
> ##############################################
> #########################################
> #### Directivas comunes de configuracion.
> ## TTL para tirar una conexion, aunque no este inactiva (6 minutos).
> conn-ttl 360
> ## Version del protocolo LDAP a utilizar.
> protocol-version 3
> ## Accion ante un referral.
> chase-referrals no
> ## TTL para tirar una conexion inactiva (5 minutos).
> idletimeout 300
> #####################################################################
> ### Definicion del LDAP remoto para las consultas de informacion de
> ### usuario y grupos UNIX desde maquinas que son clientes LDAP.
> #####################################################################
> ## Definicion de los servidores target remotos a consultar.
> ## Se consultara el primer servidor remoto que responda.
> ## Defino una lista de dcs que pueden responder para el contexto de
> ## nombre dc=gmv,dc=es. Primer target con sus parametros de configuracion.
> uri "ldap://gmvdc1.gmv.es/DC=gmv,DC=es  ldap://gmvdc2.gmv.es/";
> idle-timeout 300
> ## Habilitamos el sistema de reescritura para las consultas.
> rewriteEngine on
> overlay rwm
> 
> and the output of the netstat -an command shows too much ESTABLISHED connections
> between the metadirectory and the remote servers. 
> 
> After a while, the process runs out of file descriptors.

There seems to be no clear indication of a software bug, but rather a
resource exhaustion, which could be reduced by properly identifying how
the proxy works and how the clients exploit its functionalities.

Few comments:
- why do you use back-meta with just one URI? use back-ldap instead
- why do you enable the rewrite engine for that uri but you don't
specify any rewrite rule?  Is your server so performing to deserve
wasting some cycles?
- why do you add a slapo-rwm (not needed with back-meta, since it has
built-in rewrite capabilities you don't need, but you just switched on,
see previous remark)?  Again, do you urge to reduce the performances of
your proxy?

With respect to resource exhaustion, it might depend on the usage you
make of your system.  Are you using it for multiple authentications on
the same client connection?  In that case, you might need to look at the
"single-conn" directive; in that case, if your clients are using
authenticated connections for repeated operations, you might look at
idassert-bind (I note it's not documented in slapd-meta(5), but it's
identical to that for slapd-ldap(5), except it's on a per-target basis).

Hope this helps.  I suggest you move discussion to openldap-software, to
find out how to improve your configuration.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Prev by Date: Re: (ITS#5404) back-ldap fails intermittently with 80 Internal (implementation specific) error
Next by Date: (ITS#5406) slapd-meta(5) does not mention idassert-* directives
Index(es):
- Chronological
- Thread