[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Number of connections

On Mon, 15 Apr 2002, Yet Chang wrote:

> Here's a problem of openldap usage or configuration. Hope
> someone will be able to answer. Much appreciated.
> We run OpenLDAP 2.0 on Redhat Linux 7.0. 
> With the command "host" defined in ldap.conf,
> we can do ldapsearch & ldapadd successfully following 
> the Quick-Start Guide of OpenLDAP 2.0. We understand this
> is for the client & Server co-located mode on the same machine
> and the ldap client is using the "localhost" for ldapsearch/ldapadd .
> However, when we move to client and server on two machines 
> (connected via private TCP/IP LAN), we encounter problems:
> First we verify we can ping each other between the two machines
> , i,.e. client machine can ping the server ( IP address :
> , meaning the two machines are mutually reachable on IP level.  
> Second, we change the host command to be "host" in 
> client machine's ldap.conf file to signify the external ldap server's
> IP address of When we issue the ldapsearch or ldapadd 
> command on client machine, we got the error messages of 
> "ldap_bind : can't contact ldap server" ! We're stuck at this point.
> We try other means after reading the comment on openldap-bugs (ITS#322).
> As such, we add "-h" at the end of the ldap search or ldapadd,
> for example :
> ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -h
> We still got the same message of "ldap_bind : can't contact ldap server".
> Why we're getting these error messages when we've followed the "Quick Start
> Guide" ?
> Is it because that we have to use hostname instead of IP adddress in the
> "-h" option or
> in the "host" command of ldap.conf ? I doubt this is the problem as the
> ldap.conf(5)
> document clearly says HOST can be followed by IP address.

You may have 1 of 2 problems, or both...

First, in /etc/hosts.allow add

Red Hat does use tcp_wrappers support in openldap.

Second, if you are using tls, you will have to setup /etc/hosts on
both machines and use the actual fqdn of the
server (host.domain.tld) otherwise your cert
will not match the request and you will get an ssl error.

James Bourne

> Yet Chang
> -----Original Message-----
> From: James Bourne [mailto:jbourne@MtRoyal.AB.CA]
> Sent: Monday, April 15, 2002 3:39 PM
> To: Evaristo-Jose Camarero (ECE)
> Cc: 'OpenLDAP-software@OpenLDAP.org'
> Subject: Re: Number of connections
> On Mon, 15 Apr 2002, Adam Williams wrote:
> > >Can anybody tell me how many simultaneous connections can be served 
> > >by the openldap server (2.0.23 with Red Hat Linux 7.1).
> > >I have seen the code and it seems that there is a thread pool with 32 
> > >threads. Does it mean that server only can attend 32 connections at the
> > >same time?
> > 
> > Yes.  But answering a request should be very quick,  and the thread then
> > processes the next request.  I suppose you could try increasing the
> > thread pool, but I don't know if that will work.  In actuality (ever
> > case I've seen) 32 is alot of concurrent queries.
> > 
> Yes, increasing the thread pool does work fine.
> You can set the number of threads and concurrent connections with:
> threads		<number of threads to run at max>
> concurrency	<number of concurrent connections to allow>
> One other thing to note, slapd uses select, and is therefore limited to
> 1024 concurrent connections due to the limit of __FD_SETSIZE (I ran into
> this in some scalability testing I was doing).  If it were using poll then
> the limit would be more scalable.
> Of course, if you can run a read server with 1024 connections, I'm sure
> you're doing fairly good...
> We generally set concurrency slightly less then threads.
> Regards
> James Bourne

James Bourne, Supervisor Data Centre Operations
Mount Royal College, Calgary, AB, CA

This communication is intended for the use of the recipient to which it is
addressed, and may contain confidential, personal, and or privileged
information. Please contact the sender immediately if you are not the
intended recipient of this communication, and do not copy, distribute, or
take action relying on it. Any communication received in error, or
subsequent reply, should be deleted or destroyed.