---------- Forwarded message ----------
From: "Marco Pizzoli" <marco.pizzoli(a)gmail.com>
Date: 5 Apr 2011 14:29
Subject: Re: Tuning openldap, nss_ldap and pam_ldap
To: "c0re" <nr1c0re(a)gmail.com>
Hi,
If it was the same problem that I had some time ago, it was due to idle
connections that I gold slapd to close after x seconds.
Check yours, and eventually set a keep alive parameter on your client,
nss_ldap.
Regards
Marco
On 5 Apr 2011 13:44, "c0re" <nr1c0re(a)gmail.com> wrote:
>
> Hello openldap users!
>
> I've got Openldap 2.4.23 that used as authentication and authorization
server for about 40-50 servers.
> OS - FreeBSD 8.1.
>
> It's not heavy loaded.
>
> openldap# top -SP
> last pid: 45647; load averages: 0.15, 0.15, 0.07
up 81+22:29:21 15:18:57
> 99 processes: 3 running, 80 sleeping, 16 waiting
> CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle
> CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle
> Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free
> Swap: 4060M Total, 8K Used, 4060M Free
>
> PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU
COMMAND
> 11 root 2 171 ki31 0K 32K CPU0 0 3874.8 200.00% idle
> 4773 ldap 18 44 0 398M 53748K ucond 1 41.1H 0.00% slapd
>
> But on my servers sometimes I see in logs something like
>
> on FTP-server:
> Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server -
Server is unavailable
>
> Authentication works fine, no problems. But want to find out what can be
wrong.
>
> To understand this problem I installed ldap-stats utility and made it run:
>
> /var/log/debug.log - it's half day openldap server usage log.
>
> openldap# ldap-stats -c 1000 /var/log/debug.log
>
>
> Report Generated on Tue Apr 5 15:16:47 2011
> --------------------------------------------
> Processed "/var/log/debug.log": Apr 5 00:00:00 - Apr 5 15:17:33
>
>
> Operation totals
> ----------------
> Total operations : 913845
> Total connections : 101226
> Total authentication failures : 2
> Total binds : 99700
> Total unbinds : 99181
> Total searches : 714964
> Total compares : 7
> Total modifications : 0
> Total modrdns : 0
> Total additions : 0
> Total deletions : 0
> Unindexed attribute requests : 0
> Operations per connection : 9.03
>
>
> # Uses Filter
> ---------- -----------------------------------------------------------
> 615504 (&(objectClass=posixAccount)(uid=mailer-daemon))
> 90699 (&(objectClass=posixGroup))
> 6833 (&(objectClass=posixAccount)(uid=root))
> 2236 (&(objectClass=posixAccount)(uid=hiddenuser1))
> 669 (&(objectClass=posixGroup)(memberUid=root))
> 318 (&(objectClass=posixAccount)(uid=testacc))
> 87 (&(objectClass=posixGroup)(memberUid=postfix))
> 87 (&(objectClass=posixAccount)(uid=postfix))
> 81 (objectClass=posixAccount)
> 68 (&(objectClass=posixAccount)(uid=debian-exim))
> 68 (&(objectClass=posixGroup)(memberUid=Debian-exim))
> 39 (&(objectClass=posixAccount)(uid=normaluser))
> 34 (&(objectClass=posixAccount)(uidNumber=7333))
> 30 (&(objectClass=posixGroup)(memberUid=hiddenuser1))
> 29 (&(objectClass=posixGroup)(memberUid=chelovek))
> 29 (&(objectClass=posixAccount)(uid=chelovek))
> 27 (&(objectClass=posixAccount)(uid=user0))
> 23 (&(objectClass=posixAccount)(uid=nobody))
> 21 (&(objectClass=posixAccount)(uid=user1))
> 18 (&(objectClass=posixAccount)(uid=user2))
> 16 (&(objectClass=posixAccount)(uid=user3))
> 15 (&(objectClass=posixAccount)(uid=user4))
> 12 (&(objectClass=posixAccount)(uid=user5))
> 11 (&(objectClass=posixAccount)(uidNumber=7330))
> 10 (&(objectClass=posixAccount)(uid=user15))
> 9 (&(objectClass=posixAccount)(uid=user16))
> 8 (&(objectClass=posixAccount)(uidNumber=7333))
> 6 (&(objectClass=posixAccount)(uid=user6))
> 5 (&(objectClass=posixAccount)(uid=user7))
> 5 (cn=defaults)
> 4 (&(objectClass=posixAccount)(uidNumber=7228))
> 4 (&(objectClass=shadowAccount)(uid=user1))
> 4 (&(objectClass=posixAccount)(uid=user9))
> 4 (&(objectClass=posixAccount)(uid=user10))
> 4 (&(objectClass=posixAccount)(uid=user11))
> 3 (&(objectClass=posixAccount)(uid=user12))
> 3 (&(objectClass=posixAccount)(uid=user13))
> 3 (&(objectClass=posixAccount)(uid=user14))
> ...............
> and MANY others that has 1 use in this stats.
> I think this many queries from mail relay server.
> * user1 and etc - just hidden real users.
>
> What can I do to tune nss? Can you point me in a right direction? Do not
know what to look at.
> If you need any additional information, logs and etc - I'll provide it.
>
> Thanks in advance!
>