RE: Centralized LDAP Authentication or Kerberos+LDAP Authentication

["Matthew Hardin" <mhardin@symas.com>]

> > > > Your init script, like redhat's, stops the server with kill -9.
> > >
> > > RedHat's init procedure does *not*, unless something's seriously wrong
> > > with the proggie's init procedure.
> > >
> > > Please read RedHat's /etc/rc.d/init.d/functions yet again and look for
> > > the function 'killproc'.
> >
> > Yes. Upon rereading, it's not as bad as I thought, but still has a
> > potential problem.
> >
> > It allows 5 seconds for TERM to work and then runs KILL.
> 
> No, there's a problem there. Five seconds is _way_ too short. Consider
> that
> the Berkeley DB has to flush all of the unwritten transactions to disk,
> and
> that can take a while. The shutdown scripts we ship all give slapd 30
> seconds to complete its shutdown and we recommend 60 seconds or more for
> busy/large databases.

I left out some relevant information:

The amount of time required for slapd to shut down depends on the checkpoint
settings. If checkpoints happen more frequently, shutdown will be fast but
write performance may be slower. You need to determine the tradeoff that is
right for your installation.

All that being said, if your shutdown script is properly written, it still
doesn't hurt to allow a long time for slapd to shut down. Upon receipt of
the shutdown signal slapd will exit as soon as the cache has been flushed to
disk, and the script will exit as soon as it sees slapd has exited.

Matthew Hardin
Symas Corporation
Packaged, certified, and supported LDAP distributions
powered by OpenLDAP: http://www.symas.com