Re: slapd size and file descriptors

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Thursday 28 February 2008 07:26:26 Quanah Gibson-Mount wrote:
> --On Wednesday, February 27, 2008 8:51 PM -0800 Howard Chu <hyc@symas.com>
>
> wrote:
> > No, this is not OS dependent at all. slapd allocates its own Connection
> > array based on the number of available descriptors. There's nothing
> > unusual going on here, though 500K+ descriptors seems a bit excessive.
> > Unless you have a server listening on multiple network interfaces, the
> > most connections you're likely to get is 32768 or shy of 65536, depending
> > on OS. You should really think about what you're trying to accomplish and
> > what the realistic constraints actually are.
>
> On deployments with multi-million users (of which we have), it is not
> unreasonable that between slapd/imap/pop/mysql etc for there to be a need
> for a high number of file descriptors in use for the zimbra user.  However,
> I think it may be reasonable to break slapd out into its own user, so it
> can use a reduced set of file descriptors.

Well, the question is whether it is a good design to have *all* of those 
services running as the same user.

As a site currently running qmail-ldap+courier imap+mysql (for webmail/spam 
preferences), where smtpd runs as one user, pop3d as another, and courier 
imap also it's own (and of course, mysql running as mysql, OpenLDAP running 
as ldap), this whole "let's run everything as the zimbra user" is concerning 
(considering we are just starting a project to migrate to Zimbra, that may 
end up being more than 1 million users if the first half-million goes ok). 

For instance, I don't like that fact that the IMAP server process has write 
access to the LDAP database directory/files, or the fact that an apache 
vulnerability could result in an attacker having write access to the entire 
mailstore. Our current setup (architecture, as well as software 
configuration) has none of these security risks.

Regards,
Buchan