[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5354) slapd repeatedly hangs and stops reponding


Howard Chu wrote:
> Oren Laadan wrote:
>>> It shows enough; back-meta is hanging waiting for responses from some 
>>> other
>>> LDAP server. This is a pretty bad configuration; you should not use 
>>> back-meta
>>> (or back-ldap) to redirect queries back into the same slapd. You 
>>> should use
>>> back-relay instead.
>> I'm not quite sure why having the server query itself is such a bad idea.
>> Can you please explain ?
> Any request then occupies a minimum of two slapd threads - one for 
> back-meta itself, and one for the extra inbound query. If you 
> misconfigure the meta URIs then you get into an infinite loop, which 
> consumes all of the available slapd threads.

The URIs are configured as following (see my original ITS post
for the full config file):

database        meta
lastmod         off
suffix          "dc=CS,dc=EXAMPLE,dc=COM"

uri             "ldaps://ldap.cs.example.com/dc=CS,dc=EXAMPLE,dc=COM"
uri             "ldaps:///dc=CS,dc=EXAMPLE,dc=COM"
suffixmassage   "dc=CS,dc=EXAMPLE,dc=COM" "dc=MINE,dc=CS,dc=EXAMPLE,dc=COM"

>> Let me repeat how my setup works:
>> * there exists an LDAP server "ldap.cs.example.com" for domain 
>> * I need to build a server that extends the contents of that server, for
>>     the same domain; but I don't have access to the DB of that server.
> See slapo-translucent, which was written specifically for this reason.

I see. Am trying to build a new config using this overlay now.

>> * My clients will use my server, with the domain CS.EXAMPLE.COM 
>> (instead of
>>     querying the original server)
> Please stop using the "domain" terminology. LDAP uses Distinguished 
> Names, not domains. Tell us the distinguished names of the server 
> contexts you're dealing with. Tell us the actual DNs of the entries 
> you're dealing with.

Yes are correct. I confuse the two terms because the DNs follow the
convention of the network domains. So --

the original server servers "dc=CS,dc=EXAMPLE,dc=COM"
my server serves the same DNs for the clients; however the "extra"
local DB that I created is set for "dc=MINE,dc=CS,dc=EXAMPLE,dc=COM"

>> * So I set up my own LDAP server "ldap.MINE.CS.EXAMPLE.COM" that 
>> serves two
>>     databases:
>>     (1) a BDB-backend for domain MINE.CS.EXAMPLE.COM that holds a very 
>> small
>>     database (less than 100 entries).
>>     (2) a META-backend for domain CS.EXAMPLE.COM that is configured to 
>> relay
>>     to both the original server (ldap.cs.example.com) and also relay 
>> to the
>>     local (other) server (ldap.mine.cs.example.com); the second relay 
>> is done
>>     with "suffixmassage" to convert from CS.EXAMPLE.COM to 
>>     and back.
>> So, yes, my server/2nd-DB effectively relays queries to the my 
>> server/1st-DB
>> The questions are:
>> (1) why is this such a bad idea ?
> See above.
>> (2) how would I use back-ldap in place ?
> I would use back-ldap to contact the remote server and subordinate glue 
> for the local bdb database.
>> Note that the reason to originally select the meta-ldap backend was 
>> because
>> it was the only one that I could find in the docs that automagically 
>> merges
>> two separate databases and presents them as a single database the client.
> I think you should be able to construct your DIT without needing to do 
> any suffix massaging.

The reason I needed the suffix massaging in my setup is because I had
two servers coexisting on the same machine: one that is used by the
clients, and one that is used by the server itself through ldap-meta;

since the one visible to the clients was already "dc=CS,dc=EXAMPLE,dc=COM"
I had to make the other one do a different DN, hence the addition of
the "dc=MINE" at the beginning, and the suffix massaging

I hope that overlay translucent works, and that it does away with this
ugly trick that I had to put there.

I'm now re-doing the config to try it out. Many thanks to everybody
for the help so far.