Re: Memory usage (ITS 6660): Is there a patch to 2.4.23 version to fix the problem ?
by Friedrich Locke
On Sat, Jul 30, 2011 at 6:31 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Saturday, July 30, 2011 6:23 PM -0300 Friedrich Locke
> <friedrich.locke(a)gmail.com> wrote:
>
> Please don't top post.
>
Sorry.
>
>> It is not that's using 63MB. It is that is uses 63MB after performing
>> 4 lookup, i.e., its memory usage grows from 15MB to 63MB.
>
>
>> cachesize 4096
>
> How many entries do you have in your database?
>
No more than 50 entries at most.
>> dbnosync
>> dirtyread
>
> These are *not* good values to set. You should remove them.
I will remove then.
>
> You have failed to provide some key pieces of information. Please provide
> your DB_CONFIG file. Please provide the total size of your BDB database (du
> -c -h *.bdb). Please provide the number of real cores your system has
> available. ITS6660 *only* affects systems with 4+ CPUs. All I've seen you
> say so far is that as slapd is used, it grows in size. That's typical of
> slapd loading entries from off of disk into memory. Unless we know how
> large your database itself *is*, there is no telling if what it is doing is
> wrong or not.
My DB_CONFIG is:
set_cachesize 0 16777216 1
set_lg_regionmax 262144
set_lg_bsize 2097152
My database size is:
gustav# du -c -h *.bdb
32.0K cn.bdb
32.0K dn2id.bdb
64.0K id2entry.bdb
32.0K mail.bdb
32.0K mailAlternateAddress.bdb
32.0K mailHost.bdb
32.0K objectClass.bdb
32.0K uid.bdb
288K total
gustav#
My system has 2 cores!
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
10 years, 4 months
Re: Memory usage (ITS 6660): Is there a patch to 2.4.23 version to fix the problem ?
by Friedrich Locke
It is not that's using 63MB. It is that is uses 63MB after performing
4 lookup, i.e., its memory usage grows from 15MB to 63MB.
If i try more ldap lookup (15 in total), it goes to 425 MB of usage. I
tried to limit data usage via unix resource control (/etc/login.conf,
yes, i am using openbsd). The process (slapd) die after reaching the
limit for data memory usage.
Here is my configuration (/etc/openldap/slapd.conf)
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/qmail.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/oldap/slapd.pid
argsfile /var/run/oldap/slapd.args
database bdb
#suffix "dc=my-domain,dc=com"
suffix "dc=ufv,dc=br"
#rootdn "cn=Manager,dc=my-domain,dc=com"
rootdn "cn=oldap,dc=ufv,dc=br"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw secret
rootpw {SSHA}HBjSmSCbiE8J26EuDg3ULnSj2SmN1x5g
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/openldap-data
# Indices to maintain
index cn eq
index objectClass eq
index mail,mailalternateaddress,uid eq,sub
index accountstatus,mailhost,deliverymode eq
index default eq
cachesize 4096
checkpoint 128 15
dbnosync
dirtyread
sasl-host gustav.cpd.ufv.br
sasl-realm UFV.BR
sasl-regexp uid=([^,]+),cn=UFV.BR,cn=gssapi,cn=auth
uid=$1,ou=people,dc=ufv,dc=br
limits dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" time=2048 size=16384
limits dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" time=2048 size=16384
limits dn.onelevel="ou=people,dc=ufv,dc=br" time=4 size=1
access to dn.one="ou=appsrv,dc=ufv,dc=br" attrs=userpassword
by self read
by anonymous auth
# by * none
access to dn.one="ou=appsrv,dc=ufv,dc=br"
by self read
# by * none
access to dn.one="ou=people,dc=ufv,dc=br" attrs=userpassword
by self read
by anonymous auth
# by * none
access to dn.one="ou=people,dc=ufv,dc=br" attrs=objectclass
by self read
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" search
by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
# by * none
access to dn.one="ou=people,dc=ufv,dc=br" attrs=homedirectory
by self read
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
# by * none
access to dn.one="ou=people,dc=ufv,dc=br" attrs=entry,uid
by self read
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
# by * none
access to dn.one="ou=people,dc=ufv,dc=br"
attrs=cn,uidnumber,gidnumber,loginshell,gecos,description
by self read
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
# by * none
access to dn.one="ou=people,dc=ufv,dc=br"
attrs=mail,mailalternateaddress,qmailuid,qmailgid,mailmessagestore,mailquotasize,mailquotacount,mailsizemax,mailforwardingaddress,deliveryprogrampath,mailhost,deliverymode,mailreplytext,qmaildotmode,accountstatus,qmailaccountpurge
by self read
by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
# by * none
access to dn.one="ou=people,dc=ufv,dc=br"
by self read
# by * none
access to dn.base="ou=people,dc=ufv,dc=br" attrs=entry
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
# by * none
access to dn.base="dc=ufv,dc=br" attrs=entry
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
# by * none
access to dn.one="ou=group,dc=ufv,dc=br"
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
# by * none
access to dn.base="ou=group,dc=ufv,dc=br" attrs=entry
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
# by * none
#######################################################################
# Monitor database definitions
#######################################################################
database monitor
access to dn.subtree="cn=monitor"
by dn.base="cn=oldap,dc=ufv,dc=br" read
# by * none
=============== END OF CONFIGURATION ====================
On Sat, Jul 30, 2011 at 4:10 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Friday, July 29, 2011 12:51 PM -0300 Friedrich Locke
> <friedrich.locke(a)gmail.com> wrote:
>
>> Dear list members,
>>
>> i am running openlda 2.4.23 and i am facing memory usage problems (ITS
>> 6660). I am not given the option to change to 2.4.23.
>> Is there a patch to fix this problem?
>
> Given your stated database size, I sincerely doubt you are hitting the issue
> in ITS6660. You also fail to note any of your configuration settings. I
> personally don't see a slapd size of 63MB particularly large. Does it
> continually grow, or does it stay steady at 63MB?
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
10 years, 4 months
Re: invalid syntax when teletexstring
by Erwann ABALEA
First, sorry for having placed this thread in private, that was
unintentional (maybe I should reconsider using a "reply to all" by
default). Group added.
2011/7/29 Howard Chu <hyc(a)symas.com>:
> Erwann ABALEA wrote:
[...]
>> In fact, I know such a CA that was generated some months ago, with a
>> very large audience, and whose certificates are to be stored in an
>> LDAP structure. Czech Republic passport CA certificate. If you want to
>> know how it's used, and by who, we can talk about it in private, or
>> you can look at www.icao.int, search for Doc9303 documents, PKD
>> structure, etc. (In fact, I didn't know of this limitation, and I'll
>> look forward its impact in integrating the Czech certificates in the
>> OpenLDAP structures we sell and deploy).
>> I agree that UTF8String would have been a much better choice, but
>> X.509 doesn't prevent the use of T61String.
>> In the meantime, some products still don't support UTF8String in
>> certificates, a Novell proxy product (I don't remember its exact name)
>> is an example I encountered recently.
>
> If that's the case, what solutions do you propose? We could accept T61String
> if it only uses characters that are present in 7-bit ASCII of course. But
> once you venture into 8-bit and extended/accented characters all bets are
> off.
I'll need to grab this CA certificate back. I was asked to give my
opinion on whether it was to be considered valid or not.
Despite the fact that T61String is clearly deprecated in
RFC5280/3280/2459, and that ICAO has chosen to base their certificate
profile on RFC3280 (a bad choice), asking for a country to change its
root CA cert signing all its passports because that doesn't follow
rules I personally don't adhere to is difficult and counterproductive.
I wasn't the only one to have this idea, and it was accepted. I'm 99%
sure 7 bits didn't suffice. The remaining 1% will be fixed as soon as
I find the certificate.
Do you have any document or pointer to understand the task of
converting to/from T.61, and incompatible character sets you talked
about? I Googled for this, but I'm not sure of what I found (what I
found reminds me of old character sets we used many years ago in
France for the Minitel, with G1/G2 character groups, etc, not that far
from VT consoles).
The ICAO group or PKD Board could ask the Czechs to produce X.509
certificates with UTF8String encoding for the issuerName's fields,
it's perfectly valid by X.520 rules (as long as the content is
semantically identical, differently encoded strings are equal, as you
know), but that's asking for implementors to produce completely
compliant code. And such code will have to be clearly written by
dozens of staffs in the world, and used by autonomous devices reading
passports, etc. A big bet. Given what I see in different countries'
certificates, we're far from this.
I'll try to take a look tomorrow.
--
Erwann.
10 years, 4 months
OpenLDAP Stable?
by Friedrich Locke
I am running the lastest openldap version considered stable, AFAIK: 2.4.23.
But it has simple problems about memory usage (ITS 6660).
How may openldap project consider such release as a stable version?
Thanks in advance.
10 years, 4 months
invalid syntax when teletexstring
by Vangelis Karatsiolis
Hi,
while trying to store an attribute with syntax DistinguishedName
containing a TeletexString on an OpenLDAP 2.4.23 there are errors in the
normalization process and the attribute cannot be stored due to invalid
syntax (21). A certificate containing such a subjectDN is also not
possible to be stored. Is it possible to deactivate this in this version
of OpenLDAP, for example through configuration or during the compilation?
Best Regards
Vangelis
10 years, 4 months
Version
by Friedrich Locke
hi folks,
i just wonder what are the most common versions of openldap you have
running on production systems right now.
Thanks in advance.
10 years, 4 months
OpenLDAP configuration
by Andreas Laesser
Hi @all
I've some questions regarding the "new" config interface from LDAP cn=config.
For one month I was trying to set up a MultiMaster configuration with
GSSAPI-auth (Kerb5) over TLS/SSL for three servers.
I tried many ways to create a config with the cn=config interface but I failed
every time.
Now my question: Is there a tutorial or howto which describes exactly my
problem? Or does anybody run a bunch of server in this configuration?
Thanks a lot for your help,
regards Andreas
--
=========================================================================
_____________
/ ___________/ Andreas Laesser
/ //_// /____/ Signal Proc.& Speech Communication Lab.
__/ /___/ / __ Graz University of Technology
/___//____//__ Inffeldgasse 12 | A-8010 Graz | Austria
http://www.spsc.tugraz.at Tel: +43 (0)316 873 -4443 Fax: DW 104439
=========================================================================
10 years, 4 months
OpenLDAP is using lots of memory
by Friedrich Locke
Hi folks,
i have installed qmail-ldap and everything is going fine. The only
problem i am seeing is that slapd is using too much memory.
I have a small scenario: 20 user account, 15 group all "inside" slapd.
The problem happens when local email is delivered. I take the
following approach:
First i disable qmail:
# svc -d qmail
Then i send 10 email to a local user:
# echo to: localuser@localdomain | /var/qmail/bin/qmail-inject
Than i monitor slapd process with "top" on another shell.
I sent 10 email for a local user.
# echo to: localuser@localdomain | /var/qmail/bin/qmail-inject
Then i turn on qmail
# svc -u qmail
Now, top's column "SIZE" goes from 13MB to 63MB
Is that correct? it gives 5 MB per connection from qmail to openldap!
What am i doing wrong ?
Thanks in advance for your time and cooperation.
Best regards,
Fried.
10 years, 4 months
RE: SlapD is using more CPU
by Maucci, Cyrille
Dear Arun,
>> And also I just want to know why my ldap service are getting stopped....
What do you mean?
Do you mean the ldap unix process disappears ?
If so, did you enable core dumps to be written (ulimit -c) ?
Do you get a core file ?
I would not expect slapd to simply 'exit'.
Thanks
++Cyrille
________________________________
From: arun.sasi1(a)wipro.com [mailto:arun.sasi1@wipro.com]
Sent: Monday, July 25, 2011 2:45 PM
To: Maucci, Cyrille; openldap-technical(a)openldap.org
Subject: RE: SlapD is using more CPU
Dear Cyrille,
I am using Ubuntu 9.04 OS (Configured in VM), and OpenLdap OpenLDAP: slapd 2.4.15...
I have configured Multi-Master setup here... i.e two location servers will act as multimaster and remaining 7 locations are act as slave servers(read only copy).
Each location sync with master ldap and fetch the update from master Ldap (syncrepl)...
My infra the number of users are accessing the LDAP more on Sundays hence Ldap server is utilizing more cpu on those days and getting hang... Please find the attached some report which I took from Ldap server.
I have increased my cache size.. will it cause to high CPU ...?
And also I just want to know why my ldap service are getting stopped....
Thanks,
-Arun
From: Maucci, Cyrille [mailto:cyrille.maucci@hp.com]
Sent: Monday, July 25, 2011 5:59 PM
To: Arun Sasi V (WI01 - Manage IT); openldap-technical(a)openldap.org
Subject: RE: SlapD is using more CPU
Hello Arun Sasi,
are you saying you are surprised by the fact that the more LDAP search the more CPU consumption ? ( ! ).
I must have misunderstood your statement.
Since slapd is multi-threaded, I've myself pushed slapd to much more than 100% CPU.
So what do you mean by 'slapd is getting stopped' ?
Do you mean the process vanishes ?
Does it leave a baby core file around there ?
If so, you should probably send the back trace.
++Cyrille
________________________________
From: openldap-technical-bounces(a)OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of arun.sasi1(a)wipro.com
Sent: Monday, July 25, 2011 9:55 AM
To: openldap-technical(a)openldap.org
Subject: SlapD is using more CPU
Hello Team,
Whenever the number of search increase to the master server... slapd is utilizing more about more than 100%... What could be the reason and also is there any bench mark defined...
Whenver it goes 100% slapd server is getting stopped...
Thanks & Regards,
Arun Sasi V
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
10 years, 4 months
slapd memory consumption
by Friedrich Locke
I have openldap running ok. But when i run "top" i see slapd using
315MB in the column "SIZE".
The only software using slapd is qmail-ldap i installed.
Does anbody know what may be happening ? How to diagnose this problem?
Thanks in advance.
Fried.
10 years, 4 months
