[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: connection timeout?

On Wed, 10 Oct 2001 20:27:12 -0700
"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

> Depends on the system, I guess.  If a kernel limit can be higher
> than the default FD_SETSIZE, then FD_SETSIZE should be redefinable.
> This allows a default suitable for the average user application,
> but redefinition as needed to support server applications.  If
> on your system redefining FD_SETSIZE as I shown cases warnings
> or errors, you'll have to take some other approach.

I think modern linux is quite flexible here: most of the kernel parameters
can be adjusted through /proc entries, for example NR_OPEN.
Googling around i found similiar problems with other software too:
Following this thread there are suggestions about nscd ... we tried with
it before, but were expiriencing client lockups in a short period of time
... Someone suggested updating nss_ldap; i'll see if that'll make nscd
work without locking the machines up.

> As my shell's unlimit doesn't have an -n option, I cannot be sure
> what -n does...

from man bash:
ulimit -n: the  maximum number of open file descriptors (most systems do
not allow this value to be set, only displayed)

> No, I was referring to idletimeout.

Yes yes ... i was looking at the 1.2.x man pages :) That looks like it can
> I note that well behaved clients should maintain connections
> for as long as they need them, that can be days.
I know what persistant connections are, but our client machines use ldap
for authentication, uid/gid resolving, and run a couple of shell scripts
which use ldapsearch. I think those do not classify as persistant

And another thing (hm, the third so far :) :

while [ "$n" -lt "4000" ]
ldapsearch -h ldap-replica uid=someuid >/dev/null &
ldapsearch -h ldap-replica cn=somecn >/dev/null &
let "n += 1"
echo $n

Run such a shell script against your ldap server. It tries to make a lot
of connections at once. Now i have a 2.0.15 openldap server compiled with
FD_SETSIZE=16384 and the same setting for ulimit -n, but the above script
starts returning "Can't contact LDAP server" before the nuber reaches
2000. If you let it run in a permanent loop, it could be a simple DoS. 


Jure Pecar