OpenLDAP 2.4.44 under RHEL 7.1
I'm using back-ldap to proxy a back-mdb instance with 1K users. The relevant part of the proxy configuration is
dn: olcDatabase={2}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {2}ldap olcSuffix: dc=example,dc=com olcDbURI: "ldap://ldap-server.example.com:389/" olcDbIDAssertBind: bindmethod=none olcDbIDAssertAuthzFrom: {0}"*" olcDbRebindAsUser: TRUE olcDbChaseReferrals: TRUE
I'm using slamd for doing performance tests. According to the back-ldap man page, sessions that explicitly Bind to the back-ldap database always create their own private connection to the remote LDAP server. The private connections are closed after the remote LDAP server idletimeout (15mn), but remain stuck in a CLOSE_WAIT status. Moreover, it seems that the private connections are not reused for further BIND with the same user since the available file descriptors (8192) on remote server are quickly exhausted (only 1K users). Using the parameter
olcDbSingleConn: TRUE
improves the situation (the number of connections open on the remote server and the proxy are more or less identical), but slapd logs show errors
2016-05-23T11:18:50.100499+02:00 proxy-ldap slapd-proxy_ldap[18402]: conn=1419 op=7201 ldap_back_retry: retrying URI="ldap:// mirror.example.com:389" DN="" 2016-05-23T11:18:50.100542+02:00 proxy-ldap slapd-proxy_ldap[18402]: conn=1419 op=7201 RESULT tag=97 err=52 text=Proxy operation retry failed
The encountred problem seems to be related to ITS#4387 ( http://www.openldap.org/its/index.cgi/Archive.Software%20Bugs?id=4387;select...) and ITS#4420 ( http://www.openldap.org/its/index.cgi/Archive.Incoming?id=4420;selectid=4420... )
openldap-technical@openldap.org