Re: Re: Tuning openldap, nss_ldap and pam_ldap

/usr/local/etc/ldap.conf .... timelimit 10 bind_timelimit 5 bind_policy soft .... 2011/4/5 Marco Pizzoli <marco.pizzoli(a)gmail.com&gt; > > On 5 Apr 2011 16:11, "c0re" <nr1c0re(a)gmail.com&gt; wrote: > > > > nss_ldap.conf: > > > > timelimit 10 > > bind_timelimit 5 > > bind_policy soft > > nss_connect_policy oneshot > > > > I think every mail that come through my mail relay ask openldap about > nss... How can I workaround this? > > > > 2011/4/5 Marco Pizzoli <marco.pizzoli(a)gmail.com&gt; > >> > >> ---------- Forwarded message ---------- > >> From: "Marco Pizzoli" <marco.pizzoli(a)gmail.com&gt; > >> Date: 5 Apr 2011 14:29 > >> Subject: Re: Tuning openldap, nss_ldap and pam_ldap > >> To: "c0re" <nr1c0re(a)gmail.com&gt; > >> > >> Hi, > >> If it was the same problem that I had some time ago, it was due to idle > connections that I gold slapd to close after x seconds. > >> Check yours, and eventually set a keep alive parameter on your client, > nss_ldap. > >> > >> Regards > >> Marco > >> > >> On 5 Apr 2011 13:44, "c0re" <nr1c0re(a)gmail.com&gt; wrote: > >> > > >> > Hello openldap users! > >> > > >> > I've got Openldap 2.4.23 that used as authentication and > authorization server for about 40-50 servers. > >> > OS - FreeBSD 8.1. > >> > > >> > It's not heavy loaded. > >> > > >> > openldap# top -SP > >> > last pid: 45647; load averages: 0.15, 0.15, 0.07 > > up 81+22:29:21 15:18:57 > >> > 99 processes: 3 running, 80 sleeping, 16 waiting > >> > CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% > idle > >> > CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% > idle > >> > Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M > Free > >> > Swap: 4060M Total, 8K Used, 4060M Free > >> > > >> > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU > COMMAND > >> > 11 root 2 171 ki31 0K 32K CPU0 0 3874.8 200.00% > idle > >> > 4773 ldap 18 44 0 398M 53748K ucond 1 41.1H 0.00% > slapd > >> > > >> > But on my servers sometimes I see in logs something like > >> > > >> > on FTP-server: > >> > Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server > - Server is unavailable > >> > > >> > Authentication works fine, no problems. But want to find out what can > be wrong. > >> > > >> > To understand this problem I installed ldap-stats utility and made it > run: > >> > > >> > /var/log/debug.log - it's half day openldap server usage log. > >> > > >> > openldap# ldap-stats -c 1000 /var/log/debug.log > >> > > >> > > >> > Report Generated on Tue Apr 5 15:16:47 2011 > >> > -------------------------------------------- > >> > Processed "/var/log/debug.log": Apr 5 00:00:00 - Apr 5 15:17:33 > >> > > >> > > >> > Operation totals > >> > ---------------- > >> > Total operations : 913845 > >> > Total connections : 101226 > >> > Total authentication failures : 2 > >> > Total binds : 99700 > >> > Total unbinds : 99181 > >> > Total searches : 714964 > >> > Total compares : 7 > >> > Total modifications : 0 > >> > Total modrdns : 0 > >> > Total additions : 0 > >> > Total deletions : 0 > >> > Unindexed attribute requests : 0 > >> > Operations per connection : 9.03 > >> > > >> > > >> > # Uses Filter > >> > ---------- > ----------------------------------------------------------- > >> > 615504 (&(objectClass=posixAccount)(uid=mailer-daemon)) > >> > 90699 (&(objectClass=posixGroup)) > >> > 6833 (&(objectClass=posixAccount)(uid=root)) > >> > 2236 (&(objectClass=posixAccount)(uid=hiddenuser1)) > >> > 669 (&(objectClass=posixGroup)(memberUid=root)) > >> > 318 (&(objectClass=posixAccount)(uid=testacc)) > >> > 87 (&(objectClass=posixGroup)(memberUid=postfix)) > >> > 87 (&(objectClass=posixAccount)(uid=postfix)) > >> > 81 (objectClass=posixAccount) > >> > 68 (&(objectClass=posixAccount)(uid=debian-exim)) > >> > 68 (&(objectClass=posixGroup)(memberUid=Debian-exim)) > >> > 39 (&(objectClass=posixAccount)(uid=normaluser)) > >> > 34 (&(objectClass=posixAccount)(uidNumber=7333)) > >> > 30 (&(objectClass=posixGroup)(memberUid=hiddenuser1)) > >> > 29 (&(objectClass=posixGroup)(memberUid=chelovek)) > >> > 29 (&(objectClass=posixAccount)(uid=chelovek)) > >> > 27 (&(objectClass=posixAccount)(uid=user0)) > >> > 23 (&(objectClass=posixAccount)(uid=nobody)) > >> > 21 (&(objectClass=posixAccount)(uid=user1)) > >> > 18 (&(objectClass=posixAccount)(uid=user2)) > >> > 16 (&(objectClass=posixAccount)(uid=user3)) > >> > 15 (&(objectClass=posixAccount)(uid=user4)) > >> > 12 (&(objectClass=posixAccount)(uid=user5)) > >> > 11 (&(objectClass=posixAccount)(uidNumber=7330)) > >> > 10 (&(objectClass=posixAccount)(uid=user15)) > >> > 9 (&(objectClass=posixAccount)(uid=user16)) > >> > 8 (&(objectClass=posixAccount)(uidNumber=7333)) > >> > 6 (&(objectClass=posixAccount)(uid=user6)) > >> > 5 (&(objectClass=posixAccount)(uid=user7)) > >> > 5 (cn=defaults) > >> > 4 (&(objectClass=posixAccount)(uidNumber=7228)) > >> > 4 (&(objectClass=shadowAccount)(uid=user1)) > >> > 4 (&(objectClass=posixAccount)(uid=user9)) > >> > 4 (&(objectClass=posixAccount)(uid=user10)) > >> > 4 (&(objectClass=posixAccount)(uid=user11)) > >> > 3 (&(objectClass=posixAccount)(uid=user12)) > >> > 3 (&(objectClass=posixAccount)(uid=user13)) > >> > 3 (&(objectClass=posixAccount)(uid=user14)) > >> > ............... > >> > and MANY others that has 1 use in this stats. > >> > I think this many queries from mail relay server. > >> > * user1 and etc - just hidden real users. > >> > > >> > What can I do to tune nss? Can you point me in a right direction? Do > not know what to look at. > >> > If you need any additional information, logs and etc - I'll provide > it. > >> > > >> > Thanks in advance! > >> > > > > > > > Have you got pam_ldap.conf configured? > If so, what are the corresponding configurations related to ldap server > connections? >