On Thursday 28 February 2008 07:26:26 Quanah Gibson-Mount wrote:
--On Wednesday, February 27, 2008 8:51 PM -0800 Howard Chu
> No, this is not OS dependent at all. slapd allocates its own Connection
> array based on the number of available descriptors. There's nothing
> unusual going on here, though 500K+ descriptors seems a bit excessive.
> Unless you have a server listening on multiple network interfaces, the
> most connections you're likely to get is 32768 or shy of 65536, depending
> on OS. You should really think about what you're trying to accomplish and
> what the realistic constraints actually are.
On deployments with multi-million users (of which we have), it is not
unreasonable that between slapd/imap/pop/mysql etc for there to be a need
for a high number of file descriptors in use for the zimbra user. However,
I think it may be reasonable to break slapd out into its own user, so it
can use a reduced set of file descriptors.
Well, the question is whether it is a good design to have *all* of those
services running as the same user.
As a site currently running qmail-ldap+courier imap+mysql (for webmail/spam
preferences), where smtpd runs as one user, pop3d as another, and courier
imap also it's own (and of course, mysql running as mysql, OpenLDAP running
as ldap), this whole "let's run everything as the zimbra user" is concerning
(considering we are just starting a project to migrate to Zimbra, that may
end up being more than 1 million users if the first half-million goes ok).
For instance, I don't like that fact that the IMAP server process has write
access to the LDAP database directory/files, or the fact that an apache
vulnerability could result in an attacker having write access to the entire
mailstore. Our current setup (architecture, as well as software
configuration) has none of these security risks.