[Date Prev][Date Next] [Chronological] [Thread] [Top]

ITS#5396

To: openldap-its@OpenLDAP.org
Subject: ITS#5396
From: ecizaguirre@gmv.com
Date: Mon, 10 Mar 2008 12:56:06 GMT

Hi Pierangelo, I guess I have to explain a little bit more about the configuration I am working with.

I didn't send the whole config file, there are two URIs defined in it with correspondig rewrite rules so the rewrite engine is needed, although I have to check the rewrite capabilities of back-meta.

I have used the single-conn directive but I have faced the same problem, every connection gets stuck in the CLOSE_WAIT state in the metadirectory server but is closed in the remote LDAP servers.

I guess you are rigth and is only a configuration issue but, why every socket remains open, in CLOSE_WAIT state, even when there is no more connections to the server? I have reproduced the issue in a test enviroment and the sockets are freed only when the slapd server is stopped.

The whole config file follows:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
### Fichero de schema basico de OpenLDAP.
include /opt/openldap-2.4.8/etc/openldap/schema/core.schema
### Definiciones incluidas con OpenLDAP. Es importante usar el orden dado ya
### que hay atributos definidos en un schema que se usan en los siguientes.
include /opt/openldap-2.4.8/etc/openldap/schema/cosine.schema
include /opt/openldap-2.4.8/etc/openldap/schema/inetorgperson.schema
### Definicion de atributos de Active Directory.
include /opt/openldap-2.4.8/etc/openldap/schema/AD.schema
### Definicion incluida con OpenLDAP para usar LDAP como servicio NIS.
include /opt/openldap-2.4.8/etc/openldap/schema/nis.schema
### Definicion de atributos y objetos de Grupo GMV.
include /opt/openldap-2.4.8/etc/openldap/schema/local.schema
### Definicion de atributos y objetos de samba.
include /opt/openldap-2.4.8/etc/openldap/schema/samba.schema

# Define global ACLs to disable default read access.

pidfile /opt/openldap-2.4.8/var/run/slapd.pid
argsfile /opt/openldap-2.4.8/var/run/slapd.args

## TTL para tirar una conexion inactiva (1 minuto).
idletimeout 60
## Caractersiticas adicionales.
allow bind_anon_cred

#######################################################################
#
# Definicion de una base de datos Metadirectorio para consultas a AD.
#
#######################################################################
backend meta
database meta

## Sufijo del arbol mostrado por el metadirectorio y usuario
## administrador del mismo(superusuario de ldap).
suffix "dc=gmv,dc=es"
rootdn "cn=diradmin,dc=gmv,dc=es"
## Password del superusuario, pasar a texto cifrado con slappasswd.
rootpw secret

##############################################
### Opciones comunes a todo el metadirectorio.
##############################################
#########################################
#### Directivas comunes de configuracion.
## TTL para tirar una conexion, aunque no este inactiva (6 minutos).
conn-ttl 120
## Version del protocolo LDAP a utilizar.
protocol-version 3
## Accion ante un referral.
chase-referrals no
#####################################################################
### Definicion del LDAP remoto para las consultas de informacion de
### usuario y grupos UNIX desde maquinas que son clientes LDAP.
#####################################################################
## Definicion de los servidores target remotos a consultar.
## Se consultara el primer servidor remoto que responda.
## Defino una lista de dcs que pueden responder para el contexto de
## nombre dc=gmv,dc=es. Primer target con sus parametros de configuracion.
uri "ldap://gmvdc1.gmv.es/DC=gmv,DC=es"; "ldap://gmvdc2.gmv.es/";
## Habilitamos el sistema de reescritura para las consultas.
rewriteEngine on
overlay rwm
## Pseudoroot DN.
idassert-bind bindmethod=simple binddn="CN=proxymetadir,OU=SISTEMAS,OU=Usuarios,DC=gmv,DC=es" credentials="****" mode=none
###################################################################
###################################################################
# Definicion de las reglas de reescritura a utilizar para los DCs.
###################################################################
###################################################################
## Reglas de reescritura para buscar informacion en los DCs.
## Primero se cambia el sufijo del arbol para buscar grupos.
rwm-suffixmassage "ou=group,dc=gmv,dc=es" "OU=Proyectos,OU=Grupos,DC=gmv,DC=es"
## Ahora se modifica para buscar las cuentas de usuario.
rwm-suffixmassage "ou=people,dc=gmv,dc=es" "OU=Usuarios,DC=gmv,DC=es"
## Regla de reescritura para el DN de los grupos.
## Teoricamente solo deberia aplicarse a los resultados devueltos
## a los clientes del servidor.
rwm-rewriteContext searchEntryDN
rwm-rewriteRule "(.+)?_prj,ou=Group,dc=gmv,dc=es" "$1,ou=Group,dc=gmv,dc=es"
## Ahora vienen las reglas de reescritura de los atributos y las
## clases de objeto de cuentas de usuario y grupo UNIX.
rwm-map objectClass posixAccount user
rwm-map objectClass shadowAccount person
rwm-map objectClass posixGroup group
##
## Definicion de atributos a mapear con MS SFU 3.0.
##
rwm-map attribute gecos msSFU30Gecos
rwm-map attribute homeDirectory msSFU30HomeDirectory
rwm-map attribute uidNumber msSFU30UidNumber
rwm-map attribute loginShell msSFU30LoginShell
rwm-map attribute gidNumber msSFU30GidNumber
rwm-map attribute memberUid msSFU30MemberUid
rwm-map attribute ShadowFlag msSFU30ShadowFlag
rwm-map attribute ShadowExpire msSFU30ShadowExpire
rwm-map attribute ShadowInactive msSFU30ShadowInactive
rwm-map attribute ShadowMax msSFU30ShadowMax
rwm-map attribute ShadowWarning msSFU30ShadowWarning
rwm-map attribute ShadowLastChange msSFU30ShadowLastChange
rwm-map attribute ShadowMin msSFU30ShadowMin
### Como hay dos atributos iguales para los usuarios y para
### los grupos haremos esta distincion entre unos y otros
### para realizar el mapeo entre los dos.
## Los grupos se identifican por cn.
rwm-map attribute cn msSFU30Name
## Los usuarios se identifican por uid.
rwm-map attribute uid sAMAccountName
## El resto de atributos no los quiero para nada asi que me los
## cargo con los siguientes mapeos.
rwm-map attribute DSCOREPROPAGATIONDATA
rwm-map attribute SHOWINADDRESSBOOK
rwm-map attribute MSEXCHHOMESERVERNAME
rwm-map attribute MSEXCHALOBJECTVERSION
rwm-map attribute MSEXCHMAILBOXSECURITYDESCRIPTOR
rwm-map attribute MSEXCHUSERACCOUNTCONTROL
rwm-map attribute MSEXCHMAILBOXGUID
rwm-map attribute PROXYADDRESSES
rwm-map attribute MEMBEROF
rwm-map attribute HOMEMTA
rwm-map attribute HOMEMDB
rwm-map attribute USERACCOUNTCONTROL
rwm-map attribute manager
rwm-map attribute LEGACYEXCHANGEDN
rwm-map attribute BADPWDCOUNT
rwm-map attribute BADPASSWORDTIME
rwm-map attribute LASTLOGOFF
rwm-map attribute LASTLOGON
rwm-map attribute USERWORKSTATIONS
rwm-map attribute PWDLASTSET
rwm-map attribute OBJECTSID
rwm-map attribute ADMINCOUNT
rwm-map attribute ACCOUNTEXPIRES
rwm-map attribute LOGONCOUNT
rwm-map attribute DIRECTREPORTS
rwm-map attribute USNCREATED
rwm-map attribute USNCHANGED
rwm-map attribute CODEPAGE
rwm-map attribute OBJECTGUID
rwm-map attribute MDBUSEDEFAULTS
rwm-map attribute title
rwm-map attribute physicalDeliveryOfficeName
rwm-map attribute objectCategory
rwm-map attribute LASTLOGONTIMESTAMP
rwm-map attribute MSEXCHPOLICIESINCLUDED
rwm-map attribute MSRTCSIP-PRIMARYHOMESERVER
rwm-map attribute MSRTCSIP-PRIMARYUSERADDRESS
rwm-map attribute MSRTCSIP-FEDERATIONENABLED
rwm-map attribute MSRTCSIP-OPTIONFLAGS
rwm-map attribute street
rwm-map attribute jpegPhoto
rwm-map attribute USERPARAMETERS
rwm-map attribute member
rwm-map attribute INSTANCETYPE
rwm-map attribute WHENCREATED
rwm-map attribute WHENCHANGED
rwm-map attribute COMPANY
rwm-map attribute DELIVERANDREDIRECT
rwm-map attribute AUTHORIGBL
rwm-map attribute MAILNICKNAME
rwm-map attribute COUNTRYCODE
rwm-map attribute LOGONHOURS
rwm-map attribute PRIMARYGROUPID
rwm-map attribute SAMACCOUNTTYPE
rwm-map attribute USERPRINCIPALNAME
rwm-map attribute textEncodedORAddress
rwm-map attribute mail
rwm-map attribute MSRTCSIP-USERENABLED
rwm-map attribute MSRTCSIP-INTERNETACCESSENABLED
rwm-map attribute SRTCSIP-ARCHIVINGENABLED
rwm-map attribute c
rwm-map attribute l
rwm-map attribute st
rwm-map attribute postalCode
rwm-map attribute telephoneNumber
rwm-map attribute facsimileTelephoneNumber
rwm-map attribute givenName
rwm-map attribute initials
rwm-map attribute MSRTCSIP-ARCHIVINGENABLED
rwm-map attribute MSSFU30NISDOMAIN
rwm-map attribute SCRIPTPATH
rwm-map attribute DEPARTMENT
rwm-map attribute co
rwm-map attribute GECOS-OLD
rwm-map attribute UIDNUMBER-OLD
rwm-map attribute GIDNUMBER-OLD
rwm-map attribute LOGINSHELL-OLD
rwm-map attribute MSSFUHOMEDIRECTORY
rwm-map attribute MSSFUNAME

Thanks again,

Eduardo.

-----Mensaje original-----
De: Eduardo Izaguirre Pazos
Enviado el: viernes, 29 de febrero de 2008 13:28
Para: 'openldap-its@openldap.org'
Asunto: ITS#5396

Another update about this problem. Connections between slpad and the remote active directory servers remains in ESTABLISHED state for a long time and changes to CLOSE_WAIT state in the slapd server. In the active directory servers the connections then changes to FIN_WAIT_2, so it seems the slapd server is not sending the FIN packet to close the socket.

Cheers.

Eduardo
________________________________

De: Eduardo Izaguirre Pazos
Enviado el: jueves, 28 de febrero de 2008 13:21
Para: 'openldap-its@openldap.org'
Asunto: ITS#5396

An update about the case, the problem seems to be related with the connections which remains in CLOSE_WAIT state, as an example:

[root@metaldap openldap]# netstat -an | grep -i close | wc -l
11361

all these connections are to the remote ldap servers.

Cheers.

Eduardo.

________________________________

Eduardo Izaguirre Pazos

Administrador de Sistemas /

Systems Administrator

GRUPO TECNOLÓGICO
E INDUSTRIAL GMV,S.A.
Isaac Newton, 11
P.T.M. Tres Cantos
E-28760 Madrid
Tel. +34 91 807 21 00
Fax +34 91 807 21 99
www.gmv.com

______________________
Este mensaje, y en su caso, cualquier fichero anexo al mismo,
puede contener informacion clasificada por su emisor como confidencial
en el marco de su Sistema de Gestion de Seguridad de la
Informacion siendo para uso exclusivo del destinatario, quedando
prohibida su divulgacion copia o distribucion a terceros sin la
autorizacion expresa del remitente. Si Vd. ha recibido este mensaje
erroneamente, se ruega lo notifique al remitente y proceda a su borrado.
Gracias por su colaboracion.
______________________
This message including any attachments may contain confidential
information, according to our Information Security Management System,
and intended solely for a specific individual to whom they are addressed.
Any unauthorised copy, disclosure or distribution of this message
is strictly forbidden. If you have received this transmission in error,
please notify the sender immediately and delete it.
______________________

Prev by Date: Re: (ITS#5404) back-ldap fails intermittently with 80 Internal (implementation specific) error
Next by Date: Re: (ITS#5329) back-ldif deadlock
Index(es):
- Chronological
- Thread