3 Jul
2025
3 Jul
'25
6:50 a.m.
Hi Ulrich,
thanks for the suggestion. In netstat/lsof I see that most of the Connection (~900 of the ~1000 open Connections) are to the Proxy "target" servers. I can also see the other end of these connection in netstat/lsof on the "target" server. In cn=Connections,cn=Monitor I only see the ~100 Client connections which seems about right.
Mit freundlichen Grüßen Clemens (Bergmann)
--
Clemens Bergmann
[er/ihm; he/him]
Gruppe Nutzermanagement und Entwicklung
Technische Universität Darmstadt
Hochschulrechenzentrum, Alexanderstraße 2, 64283 Darmstadt
Tel. +49 6151 16 71184
http://www.hrz.tu-darmstadt.de/
> -----Ursprüngliche Nachricht-----
> Von: Windl, Ulrich u.windl@ukr.de
> Gesendet: Donnerstag, 3. Juli 2025 08:55
> An: Bergmann, Clemens clemens.bergmann@tu-darmstadt.de; openldap-
> technical@openldap.org
> Betreff: RE: many connections in proxy setup
>
> Suggestion: examine the connections you have; either like “netstat”, or the
> monitoring connection database.
>
> Maybe you get an idea what kind of connections you have.
>
>
>
> Kind regards,
>
> Ulrich Windl
>
>
>
> From: Bergmann, Clemens clemens.bergmann@tu-darmstadt.de
> Sent: Tuesday, July 1, 2025 3:48 PM
> To: openldap-technical@openldap.org
> Subject: [EXT] many connections in proxy setup
>
>
>
> Hi,
>
>
>
> we have two openLDAP Servers configured with back_ldap. Each server has
> one non-OpenLDAP-Server as “target”.
>
>
>
> I passed a redacted copy of my configuration below.
>
>
>
> At any given time we have around 100 connections from clients to the
> openLDAP Server. I noticed that there are a lot more connections open from
> the ldap Server to the “target” Servers. Sometimes close to 1000. As this is a
> temporary setup I did not investigate any more. In the last days we sometimes
> see the following errors in log:
>
> “daemon: accept(10) failed errno=24 (Too many open files)”
>
> “connection_input: conn=1799 deferring operation: too many executing”
>
> “connection_read(446): no connection!”
>
>
>
> I suspect that this is because there are more than 1024 connections open and
> the OS is preventing opening more FDs.
>
>
>
> I am not sure why we have so many open connections to the “target” servers.
>
>
>
> Maybe someone can spot my config error.
>
>
>
> Thanks in advance.
>
>
>
> dn: cn=config
>
> objectClass: olcGlobal
>
> cn: config
>
> olcArgsFile: /var/lib/openldap/slapd.args
>
> olcIdleTimeout: 15
>
> olcLocalSSF: 256
>
> olcLogLevel: none
>
> olcPidFile: /var/lib/openldap/slapd.pid
>
> olcRootDSE: /etc/openldap/rootDSE.ldif
>
> olcSaslSecProps: noplain,noanonymous
>
> olcSecurity: simple_bind=256 ssf=256 tls=0
>
> olcTLSCACertificateFile: /etc/ssl/certs/ca-bundle.crt
>
> olcTLSCertificateFile: /etc/openldap/certs/server.pem
>
> olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
>
> olcTLSCipherSuite: DEFAULT:-SHA1:-CBC
>
> olcTLSDHParamFile: /etc/openldap/dhparam.pem
>
> olcTLSProtocolMin: 3.3
>
>
>
> dn: olcDatabase={2}ldap,cn=config
>
> objectClass: olcDatabaseConfig
>
> objectClass: olcLDAPConfig
>
> olcDatabase: {2}ldap
>
> olcAccess: redacted
>
> olcDbACLBind: bindmethod=simple binddn=cn=proxy,ou=admin,o=tu-
> darmstadt credentials=redacted tls_cacert=/etc/ssl/certs/ca-bundle.crt
>
> olcDbStartTLS: ldaps tls_cacert=/etc/ssl/certs/ca-bundle.crt
>
> olcDbURI: ldaps://backend-server01.example.com/
>
> olcRootDN: cn=admin,ou=admin,o=tu-darmstadt
>
> olcSizeLimit: unlimited
>
> olcSuffix: o=tu-darmstadt
>
> olcTimeLimit: 90
>
>
>
> Kind regards
>
> Clemens (Bergmann)
>
>
>
> --
>
> Clemens Bergmann
>
> [er/ihm; he/him]
>
> Gruppe Nutzermanagement und Entwicklung
>
> Technische Universität Darmstadt
>
> Hochschulrechenzentrum, Alexanderstraße 2, 64283 Darmstadt
>
> Tel. +49 6151 16 71184
>
> http://www.hrz.tu-darmstadt.de/ http://www.hrz.tu-darmstadt.de/
>
>