Full_Name: Carsten T. Rieck Version: 2.4.11 OS: RedHat 5.1 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (193.194.157.126)
Hello,
my company runs an anonymously accessible LDAP server on openLDAP 2.4.11 with Berkeley database 4.6.21 (all recent patches applied) and RedHat 5.1 as operating system.
We encounter the problem that occasionally the LDAP server becomes unresponsive. Investigating the network in such a situation shows a large number of connections in the state CLOSE-WAIT. These connections remain persistent until the LDAP server is restarted.
I am able to reproduce the issue in our test environment using a client which accesses the LDAP using libldap. In an infinite loop, the client binds to the LDAP and performs a search, but it does do a proper unbinding. After about thirty loops (depending on the number of threads configured), the LDAP server becomes unresponsive. With netstat, I see the connection still as ESTABLISHED. After killing the client, the connection is marked as CLOSE-WAIT and remains in that state until the server is restarted. Any additional attempts to bind to the server leads to a connections in state CLOSE-WAIT. I do not have a Firewall in my test environment.
When the server becomes unresponsive, the log displays the message "Resource temporarily unavailable" as in the following extract: Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=8 active_threads=1 tvp=zero Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=7 busy Apr 21 18:31:43 test2 slapd[644]: => acl_mask: access to entry "cn=ACME Class 2 CA,o=ACME AG,ou=rootcerts,dc=acme,dc=de", attr "certificateRevocationList;binary" requested Apr 21 18:31:43 test2 slapd[644]: => acl_mask: to value by "", (=0) Apr 21 18:31:43 test2 slapd[644]: <= check a_dn_pat: cn=dsa-admin,ou=admin,dc=acme,dc=de Apr 21 18:31:43 test2 slapd[644]: <= check a_dn_pat: cn=dsa-audit,ou=admin,dc=acme,dc=de Apr 21 18:31:43 test2 slapd[644]: <= check a_dn_pat: anonymous Apr 21 18:31:43 test2 slapd[644]: <= acl_mask: [3] applying =rscx (stop) Apr 21 18:31:43 test2 slapd[644]: <= acl_mask: [3] mask: =rscx Apr 21 18:31:43 test2 slapd[644]: => slap_access_allowed: read access granted by =rscx Apr 21 18:31:43 test2 slapd[644]: => access_allowed: read access granted by =rscx Apr 21 18:31:43 test2 slapd[644]: ber_flush2 failed errno=11 reason="Resource temporarily unavailable" Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=8 active_threads=1 tvp=zero Apr 21 18:31:43 test2 slapd[644]: daemon: activity on 2 descriptors Apr 21 18:31:43 test2 slapd[644]: daemon: activity on: Apr 21 18:31:43 test2 slapd[644]: 12w Apr 21 18:31:43 test2 slapd[644]: Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=7 busy Apr 21 18:31:43 test2 slapd[644]: daemon: epoll: listen=8 active_threads=1 tvp=zero
In the openLDAP mailing lists I have seen other users having similar although not identical problems. The common advice of reducing the parameter idletimout did not change the behavior.
I am most pleased to provide any further information.
I appreciate your help.
Best regards, Carsten
slpad.conf ##================================= ## include /usr/machine/local/admin/openldap/config/ldapdsa/schema/core.schema include /usr/machine/local/admin/openldap/config/ldapdsa/schema/cosine.schema include /usr/machine/local/admin/openldap/config/ldapdsa/schema/inetorgperson.schema
password-hash {SSHA}
###################### # generic parameters # ###################### idletimeout 2 sizelimit 1000 timelimit 2 sockbuf_max_incoming 300000 sockbuf_max_incoming_auth 5000000 threads 4 gentlehup on
#################### # pid & args files # ####################
pidfile /usr/machine/local/work/openldap/slapd.pid argsfile /usr/machine/local/work/openldap/slapd.args
###############################################################################
################## # ssl parameters # ##################
###################### # used cipher suites # ###################### TLSCipherSuite HIGH:MEDIUM:+SSLv3
################### # key, certs etc. # ################### TLSVerifyClient never
###############################################################################
################################## # macro bdb database definitions # ##################################
########################################## # suffix dc=acme,dc=de # ##########################################
database bdb suffix "dc=acme,dc=de" cachesize 8000 checkpoint 5 30 mode 0600 directory /usr/machine/local/persistent/openldap/acme lastmod on rootdn "cn=admin,dc=acme,dc=de" rootpw <Passphrase removed> limits anonymous size.soft=10
########################################## # ACLs # ########################################## include /usr/machine/local/admin/openldap/config/ldapdsa/acl.conf
############# # set index # ############# index default pres,eq index objectclass index cn,sn pres,eq,sub index mail #eof ##=================================