Too many open files?

10 Feb 2010


      Hi all,
My latest test system includes a Kerberos server that uses OpenLDAP  
via IPC as its back-end database. It usually works, but not always.  
For example, recently, after failing to get kadmin to add a new  
principal to the Kerberos database, I found this error in the  
provider's syslog:
Feb 10 22:37:29 kls1 slapd[1722]: bdb_db_cache: db_open(entryUUID)  
failed: Too many open files (24)
Feb 10 22:37:29 kls1 slapd[1722]: bdb_index_read: Could not open DB entryUUID
Feb 10 22:37:29 kls1 slapd[1722]: conn=4 op=13 RESULT tag=105 err=80  
text=index generation failed
A restart of the Kerberos KDC and admin servers seemed to solve the  
problem, but obviously that's not ideal. Later on, I had a look at the  
numbers of open files on the system:
~# lsof -i |grep slapd
slapd    1722  openldap    8u  IPv6   4603    TCP *:ldap (LISTEN)
slapd    1722  openldap    9u  IPv4   4604    TCP *:ldap (LISTEN)
slapd    1722  openldap  545u  IPv4  12823    TCP  
kls1.example.com:ldap->kls2.example.com:51555 (ESTABLISHED)
slapd    1722  openldap  744u  IPv4   8899    TCP  
kls1.example.com:ldap->kls2.example.com:49100 (ESTABLISHED)
545 and 745u!? A restart of the Kerberos servers didn't make a  
difference, although restarting slapd brought these values down to 8  
and 9u respectively. However, I have no idea what caused these numbers  
to rise. See my provider/master server's config files below.
Does anyone have an idea what might be going on and how I might  
prevent this situation from occurring again?
Thanks,
Jaap
==/etc/ldap/slapd.conf================
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/kerberos.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
modulepath      /usr/lib/ldap
moduleload      back_hdb
sizelimit 500
tool-threads 1
authz-regexp
      uid=admin,cn=example.com,cn=gssapi,cn=auth
      cn=admin,dc=example,dc=com
authz-regexp
      uid=ldap/([^/.]+).example.com,cn=example.com,cn=gssapi,cn=auth
      cn=$1,ou=consumers,dc=example,dc=com
authz-regexp
      uid=([^,]+),cn=example.com,cn=gssapi,cn=auth
      uid=$1,ou=people,dc=example,dc=com
sasl-realm EXAMPLE.COM
authz-policy    to
backend         hdb
database        hdb
suffix          "dc=example,dc=com"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
index           uid eq
index           krbPrincipalName eq,pres,sub
index           entryUUID eq
index           entryCSN eq
lastmod         on
checkpoint      512 30
access to attrs=userPassword,shadowLastChange
         by dn="cn=admin,dc=example,dc=com" write
         by dn="cn=kls2,ou=consumers,dc=example,dc=com" read
         by anonymous auth
         by self write
         by * none
access to dn.subtree="ou=krb5,dc=example,dc=com"
         by dn="cn=admin,dc=example,dc=com" write
         by dn="cn=adm-srv,ou=krb5,dc=example,dc=com" write
         by dn="cn=kdc-srv,ou=krb5,dc=example,dc=com" read
         by dn="cn=kls2,ou=consumers,dc=example,dc=com" read
         by * none
access to dn.base="" by * read
access to *
         by dn="cn=admin,dc=example,dc=com" write
         by * read
moduleload      syncprov
overlay         syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
======================================
==/etc/default/slapd==================
SLAPD_CONF=
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldap:/// ldapi:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
export KRB5_KTNAME=/etc/krb5.keytab
SLAPD_OPTIONS=""
======================================
==/etc/krb5.conf======================
[libdefaults]
         default_realm = EXAMPLE.COM
         forwardable = true
         proxiable = true
[realms]
         EXAMPLE.COM = {
                 kdc = kls1.example.com
                 admin_server = kls.example.com
                 database_module = openldap_ldapconf
         }
[domain_realm]
         .example.com = EXAMPLE.COM
         example.com = EXAMPLE.COM
[login]
         krb4_convert = true
[dbmodules]
         openldap_ldapconf = {
                 db_library = kldap
                 ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com
                 ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=example,dc=com
                 ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=example,dc=com
                 ldap_service_password_file = /etc/krb5kdc/service.keyfile
                 ldap_conns_per_server = 5
         }
[logging]
         kdc = FILE:/var/log/krb5/kdc.log
         admin_server = FILE:/var/log/krb5/kadmin.log
         default = FILE:/var/log/krb5/klib.log
======================================
Note: "ldap_servers" option omitted, as the default is to use IPC.
======================================

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Too many open files?