nss_ldap.conf:

timelimit 10
bind_timelimit 5
bind_policy soft
nss_connect_policy oneshot

I think every mail that come through my mail relay ask openldap about nss... How can I workaround this? 

2011/4/5 Marco Pizzoli <marco.pizzoli@gmail.com>
---------- Forwarded message ----------
From: "Marco Pizzoli" <marco.pizzoli@gmail.com>
Date: 5 Apr 2011 14:29
Subject: Re: Tuning openldap, nss_ldap and pam_ldap
To: "c0re" <nr1c0re@gmail.com>

Hi,
If it was the same problem that I had some time ago, it was due to idle connections that I gold slapd to close after x seconds.
Check yours, and eventually set a keep alive parameter on your client, nss_ldap.

Regards
Marco

On 5 Apr 2011 13:44, "c0re" <nr1c0re@gmail.com> wrote:
>
> Hello openldap users!
>
> I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers.
> OS - FreeBSD 8.1.
>
> It's not heavy loaded.
>
> openldap# top -SP
> last pid: 45647;  load averages:  0.15,  0.15,  0.07                                                                                                     up 81+22:29:21  15:18:57
> 99 processes:  3 running, 80 sleeping, 16 waiting
> CPU 0:  0.7% user,  0.0% nice,  0.0% system,  0.0% interrupt, 99.3% idle
> CPU 1:  0.4% user,  0.0% nice,  0.7% system,  0.0% interrupt, 98.9% idle
> Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free
> Swap: 4060M Total, 8K Used, 4060M Free
>
>   PID USERNAME   THR PRI NICE   SIZE    RES STATE   C   TIME   WCPU COMMAND
>    11 root         2 171 ki31     0K    32K CPU0    0 3874.8 200.00% idle
>  4773 ldap        18  44    0   398M 53748K ucond   1  41.1H  0.00% slapd
>
> But on my servers sometimes I see in logs something like
>
> on FTP-server:
> Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable
>
> Authentication works fine, no problems. But want to find out what can be wrong.
>
> To understand this problem I installed ldap-stats utility and made it run:
>
> /var/log/debug.log - it's half day openldap server usage log.
>
> openldap# ldap-stats -c 1000 /var/log/debug.log
>
>
> Report Generated on Tue Apr  5 15:16:47 2011
> --------------------------------------------
> Processed "/var/log/debug.log":  Apr  5 00:00:00 - Apr  5 15:17:33
>
>
> Operation totals
> ----------------
> Total operations              : 913845
> Total connections             : 101226
> Total authentication failures : 2
> Total binds                   : 99700
> Total unbinds                 : 99181
> Total searches                : 714964
> Total compares                : 7
> Total modifications           : 0
> Total modrdns                 : 0
> Total additions               : 0
> Total deletions               : 0
> Unindexed attribute requests  : 0
> Operations per connection     : 9.03
>
>
> # Uses        Filter
> ----------    -----------------------------------------------------------
>   615504      (&(objectClass=posixAccount)(uid=mailer-daemon))
>   90699       (&(objectClass=posixGroup))
>   6833        (&(objectClass=posixAccount)(uid=root))
>   2236        (&(objectClass=posixAccount)(uid=hiddenuser1))
>   669         (&(objectClass=posixGroup)(memberUid=root))
>   318         (&(objectClass=posixAccount)(uid=testacc))
>   87          (&(objectClass=posixGroup)(memberUid=postfix))
>   87          (&(objectClass=posixAccount)(uid=postfix))
>   81          (objectClass=posixAccount)
>   68          (&(objectClass=posixAccount)(uid=debian-exim))
>   68          (&(objectClass=posixGroup)(memberUid=Debian-exim))
>   39          (&(objectClass=posixAccount)(uid=normaluser))
>   34          (&(objectClass=posixAccount)(uidNumber=7333))
>   30          (&(objectClass=posixGroup)(memberUid=hiddenuser1))
>   29          (&(objectClass=posixGroup)(memberUid=chelovek))
>   29          (&(objectClass=posixAccount)(uid=chelovek))
>   27          (&(objectClass=posixAccount)(uid=user0))
>   23          (&(objectClass=posixAccount)(uid=nobody))
>   21          (&(objectClass=posixAccount)(uid=user1))
>   18          (&(objectClass=posixAccount)(uid=user2))
>   16          (&(objectClass=posixAccount)(uid=user3))
>   15          (&(objectClass=posixAccount)(uid=user4))
>   12          (&(objectClass=posixAccount)(uid=user5))
>   11          (&(objectClass=posixAccount)(uidNumber=7330))
>   10          (&(objectClass=posixAccount)(uid=user15))
>   9           (&(objectClass=posixAccount)(uid=user16))
>   8           (&(objectClass=posixAccount)(uidNumber=7333))
>   6           (&(objectClass=posixAccount)(uid=user6))
>   5           (&(objectClass=posixAccount)(uid=user7))
>   5           (cn=defaults)
>   4           (&(objectClass=posixAccount)(uidNumber=7228))
>   4           (&(objectClass=shadowAccount)(uid=user1))
>   4           (&(objectClass=posixAccount)(uid=user9))
>   4           (&(objectClass=posixAccount)(uid=user10))
>   4           (&(objectClass=posixAccount)(uid=user11))
>   3           (&(objectClass=posixAccount)(uid=user12))
>   3           (&(objectClass=posixAccount)(uid=user13))
>   3           (&(objectClass=posixAccount)(uid=user14))
> ...............
> and MANY others that has 1 use in this stats.
> I think this many queries from mail relay server.
> * user1 and etc - just hidden real users.
>
> What can I do to tune nss? Can you point me in a right direction? Do not know what to look at.
> If you need any additional information, logs and etc - I'll provide it.
>
> Thanks in advance!
>