[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6071) LDAP server becomes unresponsive



Full_Name: Carsten T. Rieck
Version: 2.4.11
OS: RedHat 5.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (193.194.157.126)


Hello,

my company runs an anonymously accessible LDAP server on openLDAP 2.4.11 with
Berkeley database 4.6.21 (all recent patches applied) and RedHat 5.1 as
operating system.

We encounter the problem that occasionally the LDAP server becomes unresponsive.
Investigating the network in such a situation shows a large number of
connections in the state CLOSE-WAIT. These connections remain persistent until
the LDAP server is restarted.

I am able to reproduce the issue in our test environment using a client which
accesses the LDAP using libldap. In an infinite loop, the client binds to the
LDAP and performs a search, but it does do a proper unbinding. After about
thirty loops (depending on the number of threads configured), the LDAP server
becomes unresponsive.  With netstat, I see the connection still as ESTABLISHED.
After killing the client, the connection is marked as CLOSE-WAIT and remains in
that state until the server is restarted. Any additional attempts to bind to the
server leads to a connections in state CLOSE-WAIT. I do not have a Firewall in
my test environment.

When the server becomes unresponsive, the log displays the message "Resource
temporarily unavailable" as in the following extract:
Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=8 active_threads=1
tvp=zero 
Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=7 busy 
Apr 21 18:31:43 test2 slapd[644]: => acl_mask: access to entry "cn=ACME Class 2
CA,o=ACME AG,ou=rootcerts,dc=acme,dc=de", attr
"certificateRevocationList;binary" requested 
Apr 21 18:31:43 test2 slapd[644]: => acl_mask: to value by "", (=0)  
Apr 21 18:31:43 test2 slapd[644]: <= check a_dn_pat:
cn=dsa-admin,ou=admin,dc=acme,dc=de 
Apr 21 18:31:43 test2 slapd[644]: <= check a_dn_pat:
cn=dsa-audit,ou=admin,dc=acme,dc=de 
Apr 21 18:31:43 test2 slapd[644]: <= check a_dn_pat: anonymous 
Apr 21 18:31:43 test2 slapd[644]: <= acl_mask: [3] applying =rscx (stop) 
Apr 21 18:31:43 test2 slapd[644]: <= acl_mask: [3] mask: =rscx 
Apr 21 18:31:43 test2 slapd[644]: => slap_access_allowed: read access granted by
=rscx 
Apr 21 18:31:43 test2 slapd[644]: => access_allowed: read access granted by
=rscx 
Apr 21 18:31:43 test2 slapd[644]: ber_flush2 failed errno=11 reason="Resource
temporarily unavailable" 
Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=8 active_threads=1
tvp=zero 
Apr 21 18:31:43 test2 slapd[644]: daemon: activity on 2 descriptors 
Apr 21 18:31:43 test2 slapd[644]: daemon: activity on:
Apr 21 18:31:43 test2 slapd[644]:  12w
Apr 21 18:31:43 test2 slapd[644]:  
Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=7 busy 
Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=8 active_threads=1
tvp=zero 

In the openLDAP mailing lists I have seen other users having similar although
not identical problems. The common advice of reducing the parameter idletimout
did not change the behavior.

I am most pleased to provide any further information.

I appreciate your help.

Best regards,
Carsten

slpad.conf
##=================================
##
include		/usr/machine/local/admin/openldap/config/ldapdsa/schema/core.schema
include		/usr/machine/local/admin/openldap/config/ldapdsa/schema/cosine.schema
include		/usr/machine/local/admin/openldap/config/ldapdsa/schema/inetorgperson.schema

password-hash	{SSHA}

######################
# generic parameters #
######################
idletimeout		2
sizelimit		1000
timelimit		2
sockbuf_max_incoming		300000
sockbuf_max_incoming_auth	5000000
threads			4
gentlehup		on

####################
# pid & args files #
####################

pidfile		/usr/machine/local/work/openldap/slapd.pid
argsfile	/usr/machine/local/work/openldap/slapd.args

###############################################################################

##################
# ssl parameters #
##################

######################
# used cipher suites #
######################
TLSCipherSuite HIGH:MEDIUM:+SSLv3

###################
# key, certs etc. #
###################
TLSVerifyClient		never

###############################################################################

##################################
# macro bdb database definitions #
##################################

##########################################
# suffix dc=acme,dc=de            #
##########################################

database	bdb
suffix		"dc=acme,dc=de"
cachesize	8000
checkpoint	5	30
mode		0600
directory	/usr/machine/local/persistent/openldap/acme
lastmod		on
rootdn		"cn=admin,dc=acme,dc=de"
rootpw		<Passphrase removed>
limits		anonymous size.soft=10

##########################################
# ACLs                                   #
##########################################
include /usr/machine/local/admin/openldap/config/ldapdsa/acl.conf

#############
# set index #
#############
index	default	pres,eq
index	objectclass
index	cn,sn pres,eq,sub
index	mail
	
#eof
##=================================