Full_Name: Ragnar Wisl�ff Version: 2.0.27 OS: GNU/Debian Linux Stable URL: http://bugs.skolelinux.no/show_bug.cgi?id=514 Submission from: (NULL) (80.213.11.10) In an installation using the Debian Woody derivative Skolelinux we have once seen slapd report in the syslog messages similar to this: tjener slapd[353]: warning: cannot open /etc/hosts.deny: Too many open files Other files were also mentioned. We checked that this was not a file-max/file-nr issue. Until slapd was restarted no users could log in. Restarting slapd cured the problem. This situation has only occurred once. The system has about 800 - 1000 users, with typically around 500 active users being authenticated by the OpenLDAP server at a time when the problem occured. OpenLDAP is used mainly for authentication of Linux and Windows (Samba 2) users.
On Wed, Nov 05, 2003 at 10:16:53PM +0000, ragnar@skolelinux.no wrote: > In an installation using the Debian Woody derivative Skolelinux we have once > seen slapd report in the syslog messages similar to this: > > tjener slapd[353]: warning: cannot open /etc/hosts.deny: Too many open files > > Other files were also mentioned. We checked that this was not a file-max/file-nr > issue. Until slapd was restarted no users could log in. Restarting slapd cured > the problem. This situation has only occurred once. The system has about 800 - > 1000 users, with typically around 500 active users being authenticated by the > OpenLDAP server at a time when the problem occured. OpenLDAP is used mainly for > authentication of Linux and Windows (Samba 2) users. Remember that each active user will keep *at least* one connection open to the LDAP server. The actual number depends on the client systems: I tested a few in Jan 2002 and the results are in the 'Performance' section of my paper on Security with LDAP: http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html Thus, if you have 500 active users you are likely to have a base load of 500 open connections plus a variable load that might peak almost twice as high during busy periods. Each connection needs a file descriptor so you could easily run into limits imposed by the operating system. The 'ulimit -a' command should show you the default limits - e.g. on my Linux 2.4.18 system the default limit on open files is 1024. Next time you hit the problem it would be worth using 'lsof' to find out what files the slapd process actually has open. This may well give a clue to the problem (e.g. if file descriptors are being leaked, or if some clients are opening vast numbers of connections). Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
Hi, Is it possible to run slapd with more than 1024 file descriptors in Red Hat 7.3 ? Is there any compile flag needed to build slapd which supports more than 1024 file descriptors ? Regards, CK Cheung On Thu, 6 Nov 2003 andrew.findlay@skills-1st.co.uk wrote: > On Wed, Nov 05, 2003 at 10:16:53PM +0000, ragnar@skolelinux.no wrote: > > > In an installation using the Debian Woody derivative Skolelinux we have once > > seen slapd report in the syslog messages similar to this: > > > > tjener slapd[353]: warning: cannot open /etc/hosts.deny: Too many open files > > > > Other files were also mentioned. We checked that this was not a file-max/file-nr > > issue. Until slapd was restarted no users could log in. Restarting slapd cured > > the problem. This situation has only occurred once. The system has about 800 - > > 1000 users, with typically around 500 active users being authenticated by the > > OpenLDAP server at a time when the problem occured. OpenLDAP is used mainly for > > authentication of Linux and Windows (Samba 2) users. > > Remember that each active user will keep *at least* one connection > open to the LDAP server. The actual number depends on the client > systems: I tested a few in Jan 2002 and the results are in the > 'Performance' section of my paper on Security with LDAP: > > http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html > > Thus, if you have 500 active users you are likely to have a base load > of 500 open connections plus a variable load that might peak almost > twice as high during busy periods. Each connection needs a file > descriptor so you could easily run into limits imposed by the > operating system. The 'ulimit -a' command should show you the default > limits - e.g. on my Linux 2.4.18 system the default limit on open files is > 1024. > > Next time you hit the problem it would be worth using 'lsof' to find > out what files the slapd process actually has open. This may well give > a clue to the problem (e.g. if file descriptors are being leaked, or > if some clients are opening vast numbers of connections). > > Andrew >
On Fri, Nov 07, 2003 at 03:24:55AM +0000, ckche@pacific.net.hk wrote: > Hi, > > Is it possible to run slapd with more than 1024 file descriptors > in Red Hat 7.3 ? Is there any compile flag needed to build slapd which > supports more than 1024 file descriptors ? This limit is not imposed by openldap. It's from glibc. OpenLDAP uses the select() system call which, in a default glibc installation, can handle up to 1024 descriptors. Increasing this limit can only be done by recompiling glibc with a bigger FD_SETSIZE. Another alternative would be to port OpenLDAP to use poll() instead of select(). poll() doesn't have such a limit. -- Ralf Haferkamp SUSE LINUX AG, Deutschherrnstrasse 15-19, D-90429 Nuernberg T: +49-911-74053-0 F: +49-911-74053575 - Ralf.Haferkamp@suse.com
changed notes changed state Open to Closed
moved from Incoming to Archive.Incoming
not a bug