[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6071) LDAP server becomes unresponsive
Full_Name: Carsten T. Rieck
Version: 2.4.11
OS: RedHat 5.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (193.194.157.126)
Hello,
my company runs an anonymously accessible LDAP server on openLDAP 2.4.11 with
Berkeley database 4.6.21 (all recent patches applied) and RedHat 5.1 as
operating system.
We encounter the problem that occasionally the LDAP server becomes unresponsive.
Investigating the network in such a situation shows a large number of
connections in the state CLOSE-WAIT. These connections remain persistent until
the LDAP server is restarted.
I am able to reproduce the issue in our test environment using a client which
accesses the LDAP using libldap. In an infinite loop, the client binds to the
LDAP and performs a search, but it does do a proper unbinding. After about
thirty loops (depending on the number of threads configured), the LDAP server
becomes unresponsive. With netstat, I see the connection still as ESTABLISHED.
After killing the client, the connection is marked as CLOSE-WAIT and remains in
that state until the server is restarted. Any additional attempts to bind to the
server leads to a connections in state CLOSE-WAIT. I do not have a Firewall in
my test environment.
When the server becomes unresponsive, the log displays the message "Resource
temporarily unavailable" as in the following extract:
Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=8 active_threads=1
tvp=zero
Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=7 busy
Apr 21 18:31:43 test2 slapd[644]: => acl_mask: access to entry "cn=ACME Class 2
CA,o=ACME AG,ou=rootcerts,dc=acme,dc=de", attr
"certificateRevocationList;binary" requested
Apr 21 18:31:43 test2 slapd[644]: => acl_mask: to value by "", (=0)
Apr 21 18:31:43 test2 slapd[644]: <= check a_dn_pat:
cn=dsa-admin,ou=admin,dc=acme,dc=de
Apr 21 18:31:43 test2 slapd[644]: <= check a_dn_pat:
cn=dsa-audit,ou=admin,dc=acme,dc=de
Apr 21 18:31:43 test2 slapd[644]: <= check a_dn_pat: anonymous
Apr 21 18:31:43 test2 slapd[644]: <= acl_mask: [3] applying =rscx (stop)
Apr 21 18:31:43 test2 slapd[644]: <= acl_mask: [3] mask: =rscx
Apr 21 18:31:43 test2 slapd[644]: => slap_access_allowed: read access granted by
=rscx
Apr 21 18:31:43 test2 slapd[644]: => access_allowed: read access granted by
=rscx
Apr 21 18:31:43 test2 slapd[644]: ber_flush2 failed errno=11 reason="Resource
temporarily unavailable"
Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=8 active_threads=1
tvp=zero
Apr 21 18:31:43 test2 slapd[644]: daemon: activity on 2 descriptors
Apr 21 18:31:43 test2 slapd[644]: daemon: activity on:
Apr 21 18:31:43 test2 slapd[644]: 12w
Apr 21 18:31:43 test2 slapd[644]:
Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=7 busy
Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=8 active_threads=1
tvp=zero
In the openLDAP mailing lists I have seen other users having similar although
not identical problems. The common advice of reducing the parameter idletimout
did not change the behavior.
I am most pleased to provide any further information.
I appreciate your help.
Best regards,
Carsten
slpad.conf
##=================================
##
include /usr/machine/local/admin/openldap/config/ldapdsa/schema/core.schema
include /usr/machine/local/admin/openldap/config/ldapdsa/schema/cosine.schema
include /usr/machine/local/admin/openldap/config/ldapdsa/schema/inetorgperson.schema
password-hash {SSHA}
######################
# generic parameters #
######################
idletimeout 2
sizelimit 1000
timelimit 2
sockbuf_max_incoming 300000
sockbuf_max_incoming_auth 5000000
threads 4
gentlehup on
####################
# pid & args files #
####################
pidfile /usr/machine/local/work/openldap/slapd.pid
argsfile /usr/machine/local/work/openldap/slapd.args
###############################################################################
##################
# ssl parameters #
##################
######################
# used cipher suites #
######################
TLSCipherSuite HIGH:MEDIUM:+SSLv3
###################
# key, certs etc. #
###################
TLSVerifyClient never
###############################################################################
##################################
# macro bdb database definitions #
##################################
##########################################
# suffix dc=acme,dc=de #
##########################################
database bdb
suffix "dc=acme,dc=de"
cachesize 8000
checkpoint 5 30
mode 0600
directory /usr/machine/local/persistent/openldap/acme
lastmod on
rootdn "cn=admin,dc=acme,dc=de"
rootpw <Passphrase removed>
limits anonymous size.soft=10
##########################################
# ACLs #
##########################################
include /usr/machine/local/admin/openldap/config/ldapdsa/acl.conf
#############
# set index #
#############
index default pres,eq
index objectclass
index cn,sn pres,eq,sub
index mail
#eof
##=================================