[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Changing timeouts from a slapd module

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Changing timeouts from a slapd module
From: dee heffem <dheffem@gmail.com>
Date: Fri, 24 May 2019 12:25:26 -0500
Cc: OpenLDAP Technical <openldap-technical@openldap.org>
Content-language: en-US
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=mNP/aIeJOq4peQXzdq24oo0hzzfpbpbGlxuJvakzQMQ=; b=YkicaUceq1l0TcZ0yyj+hozZDZWO+NCK8xxnP3f0PdSg/iXWYXUhOxm3j9QpgD/f4J icY6JjOEBOdqOlWO+wpb7qXyEMU8j/OxRFqivXAo8TEAA2vSV1ZVpjCcggclxqLC1b1f iSmhXf2dNIyEyZP9fokCBveaomiSN05vU+KmPz8+vW5t1lXuO0SkDJ9rfyekn8hjxrd1 CJyc1Xn6eWM5GpPmP9lniWrjjvdlYvGYRionS9LwkUpTdzmZZv54+4sl2vlueZYxwhjI p8SFCMYmaGw1TyOKiDzzMztj8eqaSprV7qp6SoC/BErKzlMpIw1f6zNBCW/9wVKqrO7G oelw==
In-reply-to: <b4d06035-40d8-346a-61ed-43c12575f1ad@stroeder.com>
References: <CAM-t1EaWZ1mmzbtyV-XRxtmyk=6kRbsdYzC7WFLBZv5=F7XBhQ@mail.gmail.com> <87ef51x91g.fsf@pink.fritz.box> <3F66A84DB9D8E99EF5A5825C@192.168.1.39> <CAM-t1EbApGTcNpd6bHSFQEU91OQFDYO0J2UzDSX7RnyMGDPUQg@mail.gmail.com> <87k1esyscr.fsf@pink.fritz.box> <CAM-t1Eak3b+3jB2NTagSVc-JPvW0exqJRZFhkmQ++49AEZ5Q6A@mail.gmail.com> <2B13C8F70A0C725107F0641B@192.168.1.39> <CAM-t1EZYcqYCiNdphAQ23kaMP_wgsyjt0SF=cuwWmaj4SMqjwA@mail.gmail.com> <01A83D0402E9486565385086@[192.168.1.39]> <bc09ac9b-4d64-e445-eda3-1a95cd30871c@gmail.com> <d2428f7b-d338-e2b7-5925-95309d319ddc@stroeder.com> <1f32babf-2059-4f65-8276-9ace51b34ccf@gmail.com> <b4d06035-40d8-346a-61ed-43c12575f1ad@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1

On 5/22/19 8:50 AM, Michael Ströder wrote:
<snip>
> 
> Each request is processed by a slapd worker-thread. But this means that
> when setting
> 
> threads n
> 
> in your slapd.conf only max. n bind operations can wait for push
> message. The next one will block

I'm running OpenLDAP 2.4.42 (Ubuntu package) on the  server which uses
cn=config. zytrax shows the equivalent parameter being olcThreads which
is 16 by default (I don't have the parameter set). Does this mean
I should expect to get 16 "non-blocking" push requests running
concurrently instead of only the one?  Maybe I am misunderstanding -
You mentioned earlier: "slapd worker thread is blocked for the whole
processing time" so maybe this means the password overlay is not
designed to run concurrently and this is all for naught?

Additionally, regarding the 10 second timeout in my original post, I've
run more testing and it seems this timeout is limited to the Linux
`su` command. Huh..perhaps I need to look into the PAM stack config or
other client-side settings, not slapd. I'll have to try and hunt
that down. Authenticating with a PHP application, or using an
authenticated bind with ldapsearch doesn't timeout for nearly a minute.

> 
> BTW: Not sure about the capabilities of the 2FA service you're using.
> Such a service might serialize all your calls or have some other type of
> rate-limiting in place.

The vendor offers a "push test" utility which simply sends a user a
push request to test the setup. I can indeed synchronously process
pushes to two users at once (slapd out of the loop) so I don't
believe the API is rate limiting at this point.

The source code for the utility is available and the same push call
they use is the one I use in the password overlay. The only difference
is I had to recompile the API library statically for use with slapd.
I will have to look into the gcc flags and make sure I didn't mess
something up there.

Thanks

Follow-Ups:
- Re: Changing timeouts from a slapd module
  - From: Michael Ströder <michael@stroeder.com>

References:
- accesslog database: overflow or data rotation?
  - From: Manuela Mandache <manuela.mandache.mm@gmail.com>
- Re: accesslog database: overflow or data rotation?
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: accesslog database: overflow or data rotation?
  - From: Manuela Mandache <manuela.mandache.mm@gmail.com>
- Re: accesslog database: overflow or data rotation?
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: accesslog database: overflow or data rotation?
  - From: Manuela Mandache <manuela.mandache.mm@gmail.com>
- Re: accesslog database: overflow or data rotation?
  - From: Manuela Mandache <manuela.mandache.mm@gmail.com>
- Re: accesslog database: overflow or data rotation?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Changing timeouts from a slapd module
  - From: dee heffem <dheffem@gmail.com>
- Re: Changing timeouts from a slapd module
  - From: Michael Ströder <michael@stroeder.com>
- Re: Changing timeouts from a slapd module
  - From: dee heffem <dheffem@gmail.com>
- Re: Changing timeouts from a slapd module
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Help need with replication
Next by Date: Re: Changing timeouts from a slapd module
Index(es):
- Chronological
- Thread