On Thursday 28 February 2008 07:26:26 Quanah Gibson-Mount wrote:
--On Wednesday, February 27, 2008 8:51 PM -0800 Howard Chu hyc@symas.com
wrote:
No, this is not OS dependent at all. slapd allocates its own Connection array based on the number of available descriptors. There's nothing unusual going on here, though 500K+ descriptors seems a bit excessive. Unless you have a server listening on multiple network interfaces, the most connections you're likely to get is 32768 or shy of 65536, depending on OS. You should really think about what you're trying to accomplish and what the realistic constraints actually are.
On deployments with multi-million users (of which we have), it is not unreasonable that between slapd/imap/pop/mysql etc for there to be a need for a high number of file descriptors in use for the zimbra user. However, I think it may be reasonable to break slapd out into its own user, so it can use a reduced set of file descriptors.
Well, the question is whether it is a good design to have *all* of those services running as the same user.
As a site currently running qmail-ldap+courier imap+mysql (for webmail/spam preferences), where smtpd runs as one user, pop3d as another, and courier imap also it's own (and of course, mysql running as mysql, OpenLDAP running as ldap), this whole "let's run everything as the zimbra user" is concerning (considering we are just starting a project to migrate to Zimbra, that may end up being more than 1 million users if the first half-million goes ok).
For instance, I don't like that fact that the IMAP server process has write access to the LDAP database directory/files, or the fact that an apache vulnerability could result in an attacker having write access to the entire mailstore. Our current setup (architecture, as well as software configuration) has none of these security risks.
Regards, Buchan