[no subject]

[Abdelkader Chelouah <a.chelouah@gmail.com>]

OpenLDAP 2.4.44 under RHEL 7.1

I'm using back-ldap to proxy a back-mdb instance with 1K users. The relevant part of the proxy configuration is

dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcSuffix: dc=example,dc=com
olcDbURI: "ldap://ldap-server.example.com:389/"
olcDbIDAssertBind: bindmethod=none
olcDbIDAssertAuthzFrom: {0}"*"
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE

I'm using slamd for doing performance tests. According to the back-ldap man page, sessions that explicitly Bind to the back-ldap database always create their own private connection to the remote LDAP server. The private connections are closed after the remote LDAP server idletimeout (15mn), but remain stuck in a CLOSE_WAIT status. Moreover, it seems that the private connections are not reused for further BIND with the same user since the available file descriptors (8192) on remote server are quickly exhausted (only 1K users). Using the parameter

olcDbSingleConn: TRUE

improves the situation (the number of connections open on the remote server and the proxy are more or less identical), but slapd logs show errors

2016-05-23T11:18:50.100499+02:00 proxy-ldap slapd-proxy_ldap[18402]: conn=1419 op=7201 ldap_back_retry: retrying URI="ldap://mirror.example.com:389" DN=""
2016-05-23T11:18:50.100542+02:00 proxy-ldap slapd-proxy_ldap[18402]: conn=1419 op=7201 RESULT tag=97 err=52 text=Proxy operation retry failed

The encountred problem seems to be related to ITS#4387 (http://www.openldap.org/its/index.cgi/Archive.Software%20Bugs?id=4387;selectid=4387;usearchives=1) and ITS#4420 (http://www.openldap.org/its/index.cgi/Archive.Incoming?id=4420;selectid=4420;usearchives=1)