[Date Prev][Date Next] [Chronological] [Thread] [Top]

Too many open files?



Hi all,

My latest test system includes a Kerberos server that uses OpenLDAP via IPC as its back-end database. It usually works, but not always. For example, recently, after failing to get kadmin to add a new principal to the Kerberos database, I found this error in the provider's syslog:

Feb 10 22:37:29 kls1 slapd[1722]: bdb_db_cache: db_open(entryUUID) failed: Too many open files (24)
Feb 10 22:37:29 kls1 slapd[1722]: bdb_index_read: Could not open DB entryUUID
Feb 10 22:37:29 kls1 slapd[1722]: conn=4 op=13 RESULT tag=105 err=80 text=index generation failed

A restart of the Kerberos KDC and admin servers seemed to solve the problem, but obviously that's not ideal. Later on, I had a look at the numbers of open files on the system:

~# lsof -i |grep slapd
slapd    1722  openldap    8u  IPv6   4603    TCP *:ldap (LISTEN)
slapd    1722  openldap    9u  IPv4   4604    TCP *:ldap (LISTEN)
slapd 1722 openldap 545u IPv4 12823 TCP kls1.example.com:ldap->kls2.example.com:51555 (ESTABLISHED) slapd 1722 openldap 744u IPv4 8899 TCP kls1.example.com:ldap->kls2.example.com:49100 (ESTABLISHED)

545 and 745u!? A restart of the Kerberos servers didn't make a difference, although restarting slapd brought these values down to 8 and 9u respectively. However, I have no idea what caused these numbers to rise. See my provider/master server's config files below.

Does anyone have an idea what might be going on and how I might prevent this situation from occurring again?

Thanks,

Jaap

==/etc/ldap/slapd.conf================

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/kerberos.schema

pidfile         /var/run/slapd/slapd.pid

argsfile        /var/run/slapd/slapd.args

modulepath      /usr/lib/ldap
moduleload      back_hdb

sizelimit 500

tool-threads 1

authz-regexp
     uid=admin,cn=example.com,cn=gssapi,cn=auth
     cn=admin,dc=example,dc=com

authz-regexp
     uid=ldap/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth
     cn=$1,ou=consumers,dc=example,dc=com

authz-regexp
     uid=([^,]+),cn=example.com,cn=gssapi,cn=auth
     uid=$1,ou=people,dc=example,dc=com

sasl-realm EXAMPLE.COM

authz-policy    to

backend         hdb

database        hdb

suffix          "dc=example,dc=com"

directory       "/var/lib/ldap"

dbconfig set_cachesize 0 2097152 0

dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index           objectClass eq
index           uid eq
index           krbPrincipalName eq,pres,sub
index           entryUUID eq
index           entryCSN eq

lastmod         on

checkpoint      512 30

access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=example,dc=com" write
        by dn="cn=kls2,ou=consumers,dc=example,dc=com" read
        by anonymous auth
        by self write
        by * none

access to dn.subtree="ou=krb5,dc=example,dc=com"
        by dn="cn=admin,dc=example,dc=com" write
        by dn="cn=adm-srv,ou=krb5,dc=example,dc=com" write
        by dn="cn=kdc-srv,ou=krb5,dc=example,dc=com" read
        by dn="cn=kls2,ou=consumers,dc=example,dc=com" read
        by * none

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read

moduleload      syncprov
overlay         syncprov

syncprov-checkpoint 100 10
syncprov-sessionlog 100

======================================

==/etc/default/slapd==================

SLAPD_CONF=

SLAPD_USER="openldap"

SLAPD_GROUP="openldap"

SLAPD_PIDFILE=

SLAPD_SERVICES="ldap:/// ldapi:///"

SLAPD_SENTINEL_FILE=/etc/ldap/noslapd

export KRB5_KTNAME=/etc/krb5.keytab

SLAPD_OPTIONS=""

======================================

==/etc/krb5.conf======================

[libdefaults]
        default_realm = EXAMPLE.COM
        forwardable = true
        proxiable = true

[realms]
        EXAMPLE.COM = {
                kdc = kls1.example.com
                admin_server = kls.example.com
                database_module = openldap_ldapconf
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = true

[dbmodules]
        openldap_ldapconf = {
                db_library = kldap
                ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com
                ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=example,dc=com
                ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=example,dc=com
                ldap_service_password_file = /etc/krb5kdc/service.keyfile
                ldap_conns_per_server = 5
        }

[logging]
        kdc = FILE:/var/log/krb5/kdc.log
        admin_server = FILE:/var/log/krb5/kadmin.log
        default = FILE:/var/log/krb5/klib.log

======================================
Note: "ldap_servers" option omitted, as the default is to use IPC.
======================================