[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: connection timeout?

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: connection timeout?
From: Jure Pecar <Jure.Pecar@select-tech.si>
Date: Thu, 11 Oct 2001 16:31:02 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <5.1.0.14.0.20011010200743.016ae6b8@127.0.0.1>
Organization: Select Technology
References: <5.1.0.14.0.20011009135401.01688d68@127.0.0.1> <200110081634.f98GYhQ14074@stsrv.select-tech.si> <5.1.0.14.0.20011009135401.01688d68@127.0.0.1> <5.1.0.14.0.20011010200743.016ae6b8@127.0.0.1>

On Wed, 10 Oct 2001 20:27:12 -0700
"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

> Depends on the system, I guess.  If a kernel limit can be higher
> than the default FD_SETSIZE, then FD_SETSIZE should be redefinable.
> This allows a default suitable for the average user application,
> but redefinition as needed to support server applications.  If
> on your system redefining FD_SETSIZE as I shown cases warnings
> or errors, you'll have to take some other approach.

I think modern linux is quite flexible here: most of the kernel parameters
can be adjusted through /proc entries, for example NR_OPEN.
Googling around i found similiar problems with other software too:
http://www.google.com/search?q=cache:e-magIB58oU:www.jlinux.org/server.html+linux+2.4+1024+open+file+descriptors
http://www.google.com/search?q=cache:Bxmnr0lUjx0:www.kegel.com/c10k.html+linux+2.2+select+1024+open+file+descriptors
http://www.openldap.org/lists/openldap-software/200011/msg00180.html
Following this thread there are suggestions about nscd ... we tried with
it before, but were expiriencing client lockups in a short period of time
... Someone suggested updating nss_ldap; i'll see if that'll make nscd
work without locking the machines up.

> As my shell's unlimit doesn't have an -n option, I cannot be sure
> what -n does...

from man bash:
ulimit -n: the  maximum number of open file descriptors (most systems do
not allow this value to be set, only displayed)

> No, I was referring to idletimeout.

Yes yes ... i was looking at the 1.2.x man pages :) That looks like it can
help.

> I note that well behaved clients should maintain connections
> for as long as they need them, that can be days.

I know what persistant connections are, but our client machines use ldap
for authentication, uid/gid resolving, and run a couple of shell scripts
which use ldapsearch. I think those do not classify as persistant
connections.

And another thing (hm, the third so far :) :

#!/bin/bash
n=0
while [ "$n" -lt "4000" ]
do 
ldapsearch -h ldap-replica uid=someuid >/dev/null &
ldapsearch -h ldap-replica cn=somecn >/dev/null &
let "n += 1"
echo $n
done

Run such a shell script against your ldap server. It tries to make a lot
of connections at once. Now i have a 2.0.15 openldap server compiled with
FD_SETSIZE=16384 and the same setting for ulimit -n, but the above script
starts returning "Can't contact LDAP server" before the nuber reaches
2000. If you let it run in a permanent loop, it could be a simple DoS. 

--

Jure Pecar

Follow-Ups:
- Re: connection timeout?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: connection timeout?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- connection timeout?
  - From: Jure Pecar <Jure.Pecar@select-tech.si>
- Re: connection timeout?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: LDAP enabled socks5 client
Next by Date: is partial replication possible?
Index(es):
- Chronological
- Thread