ecip@gmv.es wrote:
Hi all, using openldap 2.4.8 as a metadirectory server in front of a couple of Active Directory Servers and a local database we have found an issue with the number of ESTABLISHED connections.
This is a part of the slapd configuration file:
backend meta database meta
## Sufijo del arbol mostrado por el metadirectorio y usuario ## administrador del mismo(superusuario de ldap). suffix "dc=gmv,dc=es" rootdn "cn=diradmin,dc=gmv,dc=es" ## Password del superusuario, pasar a texto cifrado con slappasswd. rootpw secret
############################################## ### Opciones comunes a todo el metadirectorio. ############################################## ######################################### #### Directivas comunes de configuracion. ## TTL para tirar una conexion, aunque no este inactiva (6 minutos). conn-ttl 360 ## Version del protocolo LDAP a utilizar. protocol-version 3 ## Accion ante un referral. chase-referrals no ## TTL para tirar una conexion inactiva (5 minutos). idletimeout 300 ##################################################################### ### Definicion del LDAP remoto para las consultas de informacion de ### usuario y grupos UNIX desde maquinas que son clientes LDAP. ##################################################################### ## Definicion de los servidores target remotos a consultar. ## Se consultara el primer servidor remoto que responda. ## Defino una lista de dcs que pueden responder para el contexto de ## nombre dc=gmv,dc=es. Primer target con sus parametros de configuracion. uri "ldap://gmvdc1.gmv.es/DC=gmv,DC=es ldap://gmvdc2.gmv.es/" idle-timeout 300 ## Habilitamos el sistema de reescritura para las consultas. rewriteEngine on overlay rwm
and the output of the netstat -an command shows too much ESTABLISHED connections between the metadirectory and the remote servers.
After a while, the process runs out of file descriptors.
There seems to be no clear indication of a software bug, but rather a resource exhaustion, which could be reduced by properly identifying how the proxy works and how the clients exploit its functionalities.
Few comments: - why do you use back-meta with just one URI? use back-ldap instead - why do you enable the rewrite engine for that uri but you don't specify any rewrite rule? Is your server so performing to deserve wasting some cycles? - why do you add a slapo-rwm (not needed with back-meta, since it has built-in rewrite capabilities you don't need, but you just switched on, see previous remark)? Again, do you urge to reduce the performances of your proxy?
With respect to resource exhaustion, it might depend on the usage you make of your system. Are you using it for multiple authentications on the same client connection? In that case, you might need to look at the "single-conn" directive; in that case, if your clients are using authenticated connections for repeated operations, you might look at idassert-bind (I note it's not documented in slapd-meta(5), but it's identical to that for slapd-ldap(5), except it's on a per-target basis).
Hope this helps. I suggest you move discussion to openldap-software, to find out how to improve your configuration.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------