Hi,
we have two openLDAP Servers configured with back_ldap. Each server has one non-OpenLDAP-Server as “target”.
I passed a redacted copy of my configuration below.
At any given time we have around 100 connections from clients to the openLDAP Server. I noticed that there are a lot more connections open from the ldap Server to the “target” Servers. Sometimes close to 1000. As this is a temporary setup I did not investigate any more. In the last days we sometimes see the following errors in log:
“daemon: accept(10) failed errno=24 (Too many open files)”
“connection_input: conn=1799 deferring operation: too many executing”
“connection_read(446): no connection!”
I suspect that this is because there are more than 1024 connections open and the OS is preventing opening more FDs.
I am not sure why we have so many open connections to the “target” servers.
Maybe someone can spot my config error.
Thanks in advance.
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/lib/openldap/slapd.args
olcIdleTimeout: 15
olcLocalSSF: 256
olcLogLevel: none
olcPidFile: /var/lib/openldap/slapd.pid
olcRootDSE: /etc/openldap/rootDSE.ldif
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=256 ssf=256 tls=0
olcTLSCACertificateFile: /etc/ssl/certs/ca-bundle.crt
olcTLSCertificateFile: /etc/openldap/certs/server.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
olcTLSCipherSuite: DEFAULT:-SHA1:-CBC
olcTLSDHParamFile: /etc/openldap/dhparam.pem
olcTLSProtocolMin: 3.3
dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcAccess: redacted
olcDbACLBind: bindmethod=simple binddn=cn=proxy,ou=admin,o=tu-darmstadt credentials=redacted tls_cacert=/etc/ssl/certs/ca-bundle.crt
olcDbStartTLS: ldaps tls_cacert=/etc/ssl/certs/ca-bundle.crt
olcDbURI: ldaps://backend-server01.example.com/
olcRootDN: cn=admin,ou=admin,o=tu-darmstadt
olcSizeLimit: unlimited
olcSuffix: o=tu-darmstadt
olcTimeLimit: 90
Kind regards
Clemens (Bergmann)
Suggestion: examine the connections you have; either like “netstat”, or the monitoring connection database. Maybe you get an idea what kind of connections you have.
Kind regards, Ulrich Windl
From: Bergmann, Clemens clemens.bergmann@tu-darmstadt.de Sent: Tuesday, July 1, 2025 3:48 PM To: openldap-technical@openldap.org Subject: [EXT] many connections in proxy setup
Hi,
we have two openLDAP Servers configured with back_ldap. Each server has one non-OpenLDAP-Server as “target”.
I passed a redacted copy of my configuration below.
At any given time we have around 100 connections from clients to the openLDAP Server. I noticed that there are a lot more connections open from the ldap Server to the “target” Servers. Sometimes close to 1000. As this is a temporary setup I did not investigate any more. In the last days we sometimes see the following errors in log: “daemon: accept(10) failed errno=24 (Too many open files)” “connection_input: conn=1799 deferring operation: too many executing” “connection_read(446): no connection!”
I suspect that this is because there are more than 1024 connections open and the OS is preventing opening more FDs.
I am not sure why we have so many open connections to the “target” servers.
Maybe someone can spot my config error.
Thanks in advance.
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/lib/openldap/slapd.args olcIdleTimeout: 15 olcLocalSSF: 256 olcLogLevel: none olcPidFile: /var/lib/openldap/slapd.pid olcRootDSE: /etc/openldap/rootDSE.ldif olcSaslSecProps: noplain,noanonymous olcSecurity: simple_bind=256 ssf=256 tls=0 olcTLSCACertificateFile: /etc/ssl/certs/ca-bundle.crt olcTLSCertificateFile: /etc/openldap/certs/server.pem olcTLSCertificateKeyFile: /etc/openldap/certs/server.key olcTLSCipherSuite: DEFAULT:-SHA1:-CBC olcTLSDHParamFile: /etc/openldap/dhparam.pem olcTLSProtocolMin: 3.3
dn: olcDatabase={2}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {2}ldap olcAccess: redacted olcDbACLBind: bindmethod=simple binddn=cn=proxy,ou=admin,o=tu-darmstadt credentials=redacted tls_cacert=/etc/ssl/certs/ca-bundle.crt olcDbStartTLS: ldaps tls_cacert=/etc/ssl/certs/ca-bundle.crt olcDbURI: ldaps://backend-server01.example.com/ olcRootDN: cn=admin,ou=admin,o=tu-darmstadt olcSizeLimit: unlimited olcSuffix: o=tu-darmstadt olcTimeLimit: 90
Kind regards Clemens (Bergmann)
-- Clemens Bergmann [er/ihm; he/him] Gruppe Nutzermanagement und Entwicklung Technische Universität Darmstadt Hochschulrechenzentrum, Alexanderstraße 2, 64283 Darmstadt Tel. +49 6151 16 71184 http://www.hrz.tu-darmstadt.de/
Hi Ulrich,
thanks for the suggestion. In netstat/lsof I see that most of the Connection (~900 of the ~1000 open Connections) are to the Proxy "target" servers. I can also see the other end of these connection in netstat/lsof on the "target" server. In cn=Connections,cn=Monitor I only see the ~100 Client connections which seems about right.
Mit freundlichen Grüßen Clemens (Bergmann)
Hi!
Too bad: I also noticed that syncrepl RefeshAndPersist connections are not shown in the connection monitor (or I was unable to find those).
Kind regards, Ulrich Windl
-----Original Message----- From: Bergmann, Clemens clemens.bergmann@tu-darmstadt.de Sent: Thursday, July 3, 2025 3:50 PM To: Windl, Ulrich u.windl@ukr.de; openldap-technical@openldap.org Subject: [EXT] AW: many connections in proxy setup
Hi Ulrich,
thanks for the suggestion. In netstat/lsof I see that most of the Connection (~900 of the ~1000 open Connections) are to the Proxy "target" servers. I can also see the other end of these connection in netstat/lsof on the "target" server. In cn=Connections,cn=Monitor I only see the ~100 Client connections which seems about right.
Mit freundlichen Grüßen Clemens (Bergmann)
-- Clemens Bergmann [er/ihm; he/him] Gruppe Nutzermanagement und Entwicklung Technische Universität Darmstadt Hochschulrechenzentrum, Alexanderstraße 2, 64283 Darmstadt Tel. +49 6151 16 71184 http://www.hrz.tu-darmstadt.de/
-----Ursprüngliche Nachricht----- Von: Windl, Ulrich u.windl@ukr.de Gesendet: Donnerstag, 3. Juli 2025 08:55 An: Bergmann, Clemens clemens.bergmann@tu-darmstadt.de;
openldap-
technical@openldap.org Betreff: RE: many connections in proxy setup
Suggestion: examine the connections you have; either like “netstat”, or the monitoring connection database.
Maybe you get an idea what kind of connections you have.
Kind regards,
Ulrich Windl
From: Bergmann, Clemens clemens.bergmann@tu-darmstadt.de Sent: Tuesday, July 1, 2025 3:48 PM To: openldap-technical@openldap.org Subject: [EXT] many connections in proxy setup
Hi,
we have two openLDAP Servers configured with back_ldap. Each server
has
one non-OpenLDAP-Server as “target”.
I passed a redacted copy of my configuration below.
At any given time we have around 100 connections from clients to the openLDAP Server. I noticed that there are a lot more connections open
from
the ldap Server to the “target” Servers. Sometimes close to 1000. As this is
a
temporary setup I did not investigate any more. In the last days we
sometimes
see the following errors in log:
“daemon: accept(10) failed errno=24 (Too many open files)”
“connection_input: conn=1799 deferring operation: too many executing”
“connection_read(446): no connection!”
I suspect that this is because there are more than 1024 connections open
and
the OS is preventing opening more FDs.
I am not sure why we have so many open connections to the “target”
servers.
Maybe someone can spot my config error.
Thanks in advance.
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/lib/openldap/slapd.args
olcIdleTimeout: 15
olcLocalSSF: 256
olcLogLevel: none
olcPidFile: /var/lib/openldap/slapd.pid
olcRootDSE: /etc/openldap/rootDSE.ldif
olcSaslSecProps: noplain,noanonymous
olcSecurity: simple_bind=256 ssf=256 tls=0
olcTLSCACertificateFile: /etc/ssl/certs/ca-bundle.crt
olcTLSCertificateFile: /etc/openldap/certs/server.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
olcTLSCipherSuite: DEFAULT:-SHA1:-CBC
olcTLSDHParamFile: /etc/openldap/dhparam.pem
olcTLSProtocolMin: 3.3
dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcAccess: redacted
olcDbACLBind: bindmethod=simple binddn=cn=proxy,ou=admin,o=tu- darmstadt credentials=redacted tls_cacert=/etc/ssl/certs/ca-bundle.crt
olcDbStartTLS: ldaps tls_cacert=/etc/ssl/certs/ca-bundle.crt
olcDbURI: ldaps://backend-server01.example.com/
olcRootDN: cn=admin,ou=admin,o=tu-darmstadt
olcSizeLimit: unlimited
olcSuffix: o=tu-darmstadt
olcTimeLimit: 90
Kind regards
Clemens (Bergmann)
--
Clemens Bergmann
[er/ihm; he/him]
Gruppe Nutzermanagement und Entwicklung
Technische Universität Darmstadt
Hochschulrechenzentrum, Alexanderstraße 2, 64283 Darmstadt
Tel. +49 6151 16 71184
http://www.hrz.tu-darmstadt.de/ http://www.hrz.tu-darmstadt.de/
On 04Jul25 06:25+0000, Windl, Ulrich wrote:
Too bad: I also noticed that syncrepl RefeshAndPersist connections are not shown in the connection monitor (or I was unable to find those).
Check for entry with oc olmSyncReplInstance on the database which has syncrepl configured. The setting 'monitoring' in the database section defaults to on.
This results in my case: ``` # Consumer 001, Database 1, Databases, Monitor dn: cn=Consumer 001,cn=Database 1,cn=Databases,cn=Monitor objectClass: olmSyncReplInstance structuralObjectClass: olmSyncReplInstance cn: Consumer 001 creatorsName: cn=monadm,cn=Monitor modifiersName: cn=monadm,cn=Monitor createTimestamp: 20250701104800Z modifyTimestamp: 20250701104800Z olmSRProviderURIList: ldap://10.88.0.2 olmSRConnection: IP=10.88.0.1:49602 olmSRSyncPhase: Persist olmSRNextConnect: 00000101000000Z olmSRLastConnect: 20250701104820Z olmSRLastContact: 20250704045546Z olmSRLastCookieRcvd: rid=001,sid=038,csn=20250704045546.696674Z#000000#038#000 000 olmSRLastCookieSent: rid=001,sid=037,csn=20231117084531.264299Z#000000#001#000 000;20231113122043.351289Z#000000#002#000000;20240618124202.786940Z#000000#03 7#000000;20250701094202.306893Z#000000#038#000000 entryDN: cn=Consumer 001,cn=Database 1,cn=Databases,cn=Monitor subschemaSubentry: cn=Subschema hasSubordinates: FALSE ```
slapd 2.6.9
Cheers,
openldap-technical@openldap.org
-
Bastian Tweddell -
Bergmann, Clemens -
Windl, Ulrich