Hello,
i have found some weird messages in my syslog since i setup openldap and switched my users from local passwd/shadow to openldap.
I have two notebooks using sssd and the openldap server is configured with pam_ldap/nss_ldap authentication. I didn't have any problems, but i'm unsure why those message are logged and so i decided to ask this on the list.
Those are the messages in question:
Mar 22 20:10:01 foobarsrv1 slapd[16923]: connection_input: conn=12652 deferring operation: binding
Mar 22 15:36:33 foobarsrv1 slapd[16923]: connection_read(29): no connection! Mar 22 15:37:36 foobarsrv1 slapd[16923]: conn=10375 op=6 ABANDON msg=6
Mar 15 09:00:59 foobarsrv1 slapd[28731]: connection_input: conn=16081 deferring operation: too many executing
Mar 12 18:33:54 foobarsrv1 slapd[699]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
I have tried to find a solution or reason for this since two weeks or so, but i couldn't find the answer/solution. Regarding the "deferring operation: binding" message i'm just concerned, because their is absolutely no load on the system and i'm not sure what would happen if i had more than 3 clients (including the server) which use ldap. I already tried to match those messages with other things going on on the system, but i could get any match. Currently i get the "deferring operation: binding" anything between 2 and 10 times a day.
I know that this may be more than one issue, but i hope that you are willing to help me solve this.
This is my slapd.conf:
Konsole output include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args security tls=1 simple_bind=128 access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by * read access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3 TLSCertificateFile /etc/openldap/ssl/slapdcert.pem TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem database hdb suffix "dc=foobar,dc=local" checkpoint 32 30 rootdn "cn=Manager,dc=foobar,dc=local" rootpw {SSHA}XXXX directory /var/lib/openldap-data index objectClass eq index uid pres,eq index memberUid pres,eq index uidNumber pres,eq index gidNumber pres,eq index uniqueMember pres,eq index sambaSID pres,eq index mail pres,sub,eq index cn pres,sub,eq index sn pres,sub,eq index dc eq database config
My /etc/ldap.conf
Konsole output host 127.0.0.1 base dc=foobar,dc=local uri ldap://localhost/ ldap_version 3 scope one bind_policy soft idle_timelimit 3600 pam_filter objectclass=posixAccount pam_member_attribute memberuid pam_min_uid 1000 pam_password exop nss_base_passwd ou=People,dc=foobar,dc=local?one nss_base_shadow ou=People,dc=foobar,dc=local?one nss_base_group ou=Groups,dc=foobar,dc=local?one nss_base_hosts ou=Hosts,dc=foobar,dc=local?one ssl start_tls nss_initgroups_ignoreusers root,bin,daemon,adm,lp,sync,shutdown,halt,news,uucp,operator,portage,nobody,man,sshd,cron,mail,postmaster,ldap,m ysql,mediatomb,dovecot,dovenull,apache,openvpn,clamav,bacula,asterisk,ntp
The openldap server is an up to date Gentoo system.
If you need more informations just let me know.
Kind regards,
Timo
--On Monday, March 23, 2015 9:19 PM +0100 Timo Eissler timo@teissler.de wrote:
Mar 22 20:10:01 foobarsrv1 slapd[16923]: connection_input: conn=12652 deferring operation: binding
Can be ignored. Server is simply busy and will process this bind when resources allow (this is an informational message).
Mar 22 15:36:33 foobarsrv1 slapd[16923]: connection_read(29): no connection!
This means the client closed the connection w/o performing an unbind request. Can be ignored.
Mar 22 15:37:36 foobarsrv1 slapd[16923]: conn=10375 op=6 ABANDON msg=6
This means the client sent an abandon. Can be ignored.
Mar 15 09:00:59 foobarsrv1 slapd[28731]: connection_input: conn=16081 deferring operation: too many executing
Same reasons as the first log message.
Mar 12 18:33:54 foobarsrv1 slapd[699]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
This is the password policy control. Since you haven't implemented ppolicy, clearly it won't be available. Should be ignorable unless you want to implement a password policy.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Hello Quanah,
thank you for your fast response!
Am 23.03.2015 um 21:02 schrieb Quanah Gibson-Mount:
--On Monday, March 23, 2015 9:19 PM +0100 Timo Eissler timo@teissler.de wrote:
Mar 22 20:10:01 foobarsrv1 slapd[16923]: connection_input: conn=12652 deferring operation: binding
Can be ignored. Server is simply busy and will process this bind when resources allow (this is an informational message).
I already thought it would be something like this, but what i don't understand is that the system has nearly no load (below 0.3) as it is a quad core system with 16GB RAM and this still happens.
What parameters are defining the available resources?
Mar 22 15:36:33 foobarsrv1 slapd[16923]: connection_read(29): no connection!
This means the client closed the connection w/o performing an unbind request. Can be ignored.
Mar 22 15:37:36 foobarsrv1 slapd[16923]: conn=10375 op=6 ABANDON msg=6
This means the client sent an abandon. Can be ignored.
Mar 15 09:00:59 foobarsrv1 slapd[28731]: connection_input: conn=16081 deferring operation: too many executing
Same reasons as the first log message.
Mar 12 18:33:54 foobarsrv1 slapd[699]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
This is the password policy control. Since you haven't implemented ppolicy, clearly it won't be available. Should be ignorable unless you want to implement a password policy.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration
--On Monday, March 23, 2015 11:18 PM +0100 Timo Eissler timo@teissler.de wrote:
Hello Quanah,
thank you for your fast response!
Can be ignored. Server is simply busy and will process this bind when resources allow (this is an informational message).
I already thought it would be something like this, but what i don't understand is that the system has nearly no load (below 0.3) as it is a quad core system with 16GB RAM and this still happens.
What parameters are defining the available resources?
How many threads have you allocated to slapd?
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
I have no custom threads settings in my slapd.conf.
Currently slapd is running with 12 threads on my system with 8 cores (with hyperthreading).
Am 25.03.2015 um 21:48 schrieb Quanah Gibson-Mount:
--On Monday, March 23, 2015 11:18 PM +0100 Timo Eissler timo@teissler.de wrote:
Hello Quanah,
thank you for your fast response!
Can be ignored. Server is simply busy and will process this bind when resources allow (this is an informational message).
I already thought it would be something like this, but what i don't understand is that the system has nearly no load (below 0.3) as it is a quad core system with 16GB RAM and this still happens.
What parameters are defining the available resources?
How many threads have you allocated to slapd?
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration
Am Thu, 26 Mar 2015 19:16:05 +0100 schrieb Timo Eissler timo@teissler.de:
I have no custom threads settings in my slapd.conf.
Currently slapd is running with 12 threads on my system with 8 cores (with hyperthreading).
[...]
I have seen this before. Could you provide an example of your search filters an the number of connections within a given time?
-Dieter
--On Thursday, March 26, 2015 8:16 PM +0100 Timo Eissler timo@teissler.de wrote:
I have no custom threads settings in my slapd.conf.
Currently slapd is running with 12 threads on my system with 8 cores (with hyperthreading).
I suggest reading the slapd.conf(5) man page and looking at the threads directive then. ;)
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
As the man page of slapd.conf says the default value for threads is 16 and i read on several sites that 4 threads per core should provide the best performance i didn't specified the threads parameter.
But now i explicitly set threads to 16 and gave it a try.
Kind regards,
Timo
Am 27.03.2015 um 00:53 schrieb Quanah Gibson-Mount:
--On Thursday, March 26, 2015 8:16 PM +0100 Timo Eissler timo@teissler.de wrote:
I have no custom threads settings in my slapd.conf.
Currently slapd is running with 12 threads on my system with 8 cores (with hyperthreading).
I suggest reading the slapd.conf(5) man page and looking at the threads directive then. ;)
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration
Which search filters do you mean?
I didn't executed any ldapsearch commands while i got the messages. There's just sssd on my two notebooks and pam_ldap/nss_ldap on the server itself.
-Timo
Am 26.03.2015 um 23:23 schrieb Dieter Klünter:
Am Thu, 26 Mar 2015 19:16:05 +0100 schrieb Timo Eissler timo@teissler.de:
I have no custom threads settings in my slapd.conf.
Currently slapd is running with 12 threads on my system with 8 cores (with hyperthreading).
[...]
I have seen this before. Could you provide an example of your search filters an the number of connections within a given time?
-Dieter
Am Fri, 27 Mar 2015 20:17:12 +0100 schrieb Timo Eissler timo@teissler.de:
Which search filters do you mean?
I didn't executed any ldapsearch commands while i got the messages. There's just sssd on my two notebooks and pam_ldap/nss_ldap on the server itself.
It is not you, performing a search, but pam-ldap. The nsswitch and pam configuration file is /etc/ldap.conf or, depending on the distribution, /etc/pam-ldap.conf. Have a look at filters and search base. If these are nor configured properly and indexed, it may raise a high server load.
-Dieter
-Timo
Am 26.03.2015 um 23:23 schrieb Dieter Klünter:
Am Thu, 26 Mar 2015 19:16:05 +0100 schrieb Timo Eissler timo@teissler.de:
I have no custom threads settings in my slapd.conf.
Currently slapd is running with 12 threads on my system with 8 cores (with hyperthreading).
[...]
I have seen this before. Could you provide an example of your search filters an the number of connections within a given time?
-Dieter
Am 29.03.2015 um 13:53 schrieb Dieter Klünter:
Am Fri, 27 Mar 2015 20:17:12 +0100 schrieb Timo Eissler timo@teissler.de:
Which search filters do you mean?
I didn't executed any ldapsearch commands while i got the messages. There's just sssd on my two notebooks and pam_ldap/nss_ldap on the server itself.
It is not you, performing a search, but pam-ldap. The nsswitch and pam configuration file is /etc/ldap.conf or, depending on the distribution, /etc/pam-ldap.conf. Have a look at filters and search base. If these are nor configured properly and indexed, it may raise a high server load.
-Dieter
I know that, but i assumed you mean't something else, because i already posted my /etc/ldap.conf with the initial mail to the list.
But here is it again:
host 127.0.0.1 base dc=foobar,dc=local uri ldap://localhost/ ldap_version 3 scope one bind_policy soft idle_timelimit 3600 pam_filter objectclass=posixAccount pam_member_attribute memberuid pam_min_uid 1000 pam_password exop nss_base_passwd ou=People,dc=foobar,dc=local?one nss_base_shadow ou=People,dc=foobar,dc=local?one nss_base_group ou=Groups,dc=foobar,dc=local?one nss_base_hosts ou=Hosts,dc=foobar,dc=local?one ssl start_tls nss_initgroups_ignoreusers root,bin,daemon,adm,lp,sync,shutdown,halt,news,uucp,operator,portage,nobody,man,sshd,cron,mail,postmaster,ldap,m ysql,mediatomb,dovecot,dovenull,apache,openvpn,clamav,bacula,asterisk,ntp
-Timo
-Timo
Am 26.03.2015 um 23:23 schrieb Dieter Klünter:
Am Thu, 26 Mar 2015 19:16:05 +0100 schrieb Timo Eissler timo@teissler.de:
I have no custom threads settings in my slapd.conf.
Currently slapd is running with 12 threads on my system with 8 cores (with hyperthreading).
[...]
I have seen this before. Could you provide an example of your search filters an the number of connections within a given time?
-Dieter
openldap-technical@openldap.org