[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: intermittent nss/ldap user lookup failures on RedHat 7.0, 7.1

To: Alex Vorobiev <sasha@mathforum.org>
Subject: Re: intermittent nss/ldap user lookup failures on RedHat 7.0, 7.1
From: Robert J Gautier <rjg@ateb.co.uk>
Date: Tue, 9 Oct 2001 23:31:38 +0100 (BST)
Cc: <rjg@ateb.co.uk>, <openldap-software@OpenLDAP.org>
In-reply-to: <20011009180747.J29189@mathforum.org>

On Tue, 9 Oct 2001, Alex Vorobiev wrote:

>
> i originally reported this problem a couple of days ago as a sendmail/ldap
> problem.
>
> we experience intermittent failures with user lookups via nss/ldap.
> we observe the same problems with RedHat 7.0 or 7.1, openldap-2.0.7 or
> 2.0.8, and nss_ldap 149 (various releases).

We've seen exactly the same sort of behaviour.  We have four client
machines talking to a single LDAP server, and we sometimes see the client
(usually nss_ldap) log 'unable to contact LDAP server'.  At the server
end, we see lots of messages from the kernel saying

ip_conntrack: maximum limit of 16376 entries exceeded

I'd be interested to hear if you have similar messages.

We had success making these messages go away just by restarting slapd.
(And LDAP became reliable again.)

With netstat I can often see 100 or so simultaneous connections to the
LDAP server.  Since I expect a connection to be very short-lived I figure
this means we're getting a very high connection rate.  Are we blowing
a kernel limit due to LDAP traffic load?

Should we be running with a larger ip_conntrack_max?  I'm not sure about
increasing it because I think it has implications for security.

Bob G

References:
- intermittent nss/ldap user lookup failures on RedHat 7.0, 7.1
  - From: Alex Vorobiev <sasha@mathforum.org>

Prev by Date: Re: 2.0.15 compile problem under HP/UX 10.20
Next by Date: Re: quick question
Index(es):
- Chronological
- Thread