Re: slapd hangs connections to ldap server with CLOSE_WAIT

[Howard Chu <hyc@symas.com>]

It sounds like the remote server times out idle connections after 30 
minutes, and back-ldap is not retrying them after that point. This 
appears to be the same problem as ITS#3217 
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=3217 which has 
been fixed in CVS but the fix has not been backported to the 2.2 release 
yet.

Frederik Schmallborn wrote:

> Hi!
>
> I'm using OpenLDAP 2.17 on AIX 4.3.3 machine. The LDAP server is used 
> for authentication of Apache WEB server.
>
> In the slapd.conf there are two databases configured:
>
> - local database - used to configure local usergroups:
>
> database ldbm
> suffix "ou=department,o=company,c=country"
>
> - central company's LDAP user/password database:
>
> database ldap
> suffix ou=people,dc=company,dc=com
> uri "ldap://laas.muc:3892/";
>
> I connect with a Web browser to Apache and authentication and 
> usergroup permissions are working fine. I see on the LDAP server two 
> connections on port 3892 to the server laas.muc:
>
> slapd 15844 root 6u IPv4 0x7042badc 0t0 TCP *:389 (LISTEN)
> slapd 15844 root 7u IPv4 0x70204adc 0t763 TCP 
> netmgrw1:389->netmgrw1:42465 (ESTABL
> ISHED)
> slapd 15844 root 8u IPv4 0x70253adc 0t1516 TCP 
> netmgrw1:389->netmgrw1:42466 (ESTABL
> ISHED)
> slapd 15844 root 9u IPv4 0x7033dadc 0t380 TCP 
> netmgrw1:42467->laas.muc:3892 (ESTAB
> LISHED)
> slapd 15844 root 10u IPv4 0x702536dc 0t252 TCP 
> netmgrw1:42468->laas.muc:3892 (ESTAB
> LISHED)
> slapd 15844 root 11u IPv4 0x70370edc 0t76 TCP 
> netmgrw1:42469->laas.muc:3892 (ESTAB
> LISHED)
>
>
> The problem is, that after about 30min the connections to the laas.muc 
> are going to CLOSE_WAIT staus.
> If i try to connect now new web sites, the authentication is not 
> working one or two ways and after that is someways working, someway i 
> have to restart the slapd. Below i have attached some debug output 
> (debug level 255).
>
> This is only a testserver with very low load.
>
> Thanks for your help,
>
> Fred
>
>
>
> DEBUG output (-d 255):
>
>
> - successfull authentication and usergroup verification:
>
> dnMatch 0
> "uid=qx05435,ou=people,dc=bmwgroup,dc=com"
> "uid=qx05435,ou=people,dc=bmwgroup,dc=com"
> send_ldap_result: conn=1 op=12 p=3
> send_ldap_result: err=6 matched="" text=""
> send_ldap_response: msgid=13 tag=111 err=6
> ber_flush: 14 bytes to sd 8
> 0000: 30 0c 02 01 0d 6f 07 0a 01 06 04 00 04 00 0....o........
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 0d 6f 07 0a 01 06 04 00 04 00 0....o........
> ====> cache_return_entry_r( 421 ): returned (0)
>
> - waiting about 30min - no ldap activities at this time.
>
> - connect web page needin authentication:
>
> daemon: activity on 1 descriptors
> daemon: activity on: 8r
> daemon: read activity on 8
> connection_get(8)
> connection_get(8): got connid=1
> connection_read(8): checking for input on id=1
> ber_get_next
> ldap_read: want=8, got=8
> 0000: 30 58 02 01 0e 63 53 04 0X...cS.
> ldap_read: want=82, got=82
>
> ........
>
> wait4msg continue, msgid 3, all 0
> ldap_send_initial_request
> ** Connections:
> * host: laas.muc port: 3892 (default)
> refcnt: 2 status: Connected
> ldap_send_server_request
> last used: Wed Dec 1 12:33:58 2004
>
> ** Outstanding Requests:
> * msgid 3, origid 3, status InProgress
> outstanding referrals 0, parent count 0
> ** Response Queue:
> Empty
> ber_flush: 92 bytes to sd 11
> ldap_chkResponseList for msgid=3, all=0
>
> .........
>
> ldap_read: want=8 error=Connection reset by peer
> ldap_write: want=92, written=92
> ber_get_next failed.
>
> .........
>
> ldap_unbind
> ldap_free_request (origid 3, msgid 3)
> ldap_free_connection
> ldap_send_unbind
>
> ........
>
>
> ldap_write: want=7 error=Broken pipe
> 0050: 30 35 34 33 35 30 05 04 03 75 69 64 054350...uid
> ldap_free_connection: actually freed
> ldap_result msgid 2
> ldap_chkResponseList for msgid=2, all=0
> ldap_chkResponseList returns NULL
> wait4msg (timeout 0 sec, 100000 usec), msgid 2
> wait4msg continue, msgid 2, all 0
> ** Connections:
> * host: laas.muc port: 3892 (default)
> refcnt: 2 status: Connected
> last used: Wed Dec 1 12:33:58 2004
>
> ** Outstanding Requests:
> send_ldap_result: conn=1 op=13 p=3
> * msgid 2, origid 2, status InProgress
> outstanding referrals 0, parent count 0
> ** Response Queue:
> Empty
> send_ldap_result: err=52 matched="" text=""
> send_ldap_response: msgid=14 tag=101 err=52
> ldap_chkResponseList for msgid=2, all=0
> ber_flush: 14 bytes to sd 8
> ldap_chkResponseList returns NULL
>
> .............
>
> ldap_create
> ldap_url_parse_ext(ldap://laas.muc:3892/)
> [rw] bindDN: "uid=user1,ou=people,dc=company,dc=com" -> 
> "uid=user1,ou=people,dc=company,dc=com
> "
> =>ldap_back_getconn: conn 21b5ff78 inserted
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP laas.muc:3892
> ldap_new_socket: 10
> ldap_prepare_socket: 10
> ldap_connect_to_host: Trying 10.48.101.39:3892
> ldap_connect_timeout: fd: 10 tm: -1 async: 0
> ldap_ndelay_on: 10
> ldap_is_sock_ready: 10
> ldap_ndelay_off: 10
> ldap_open_defconn: successful
> ldap_send_server_request
>
> ........
>
> _________________________________________________________________
> Don’t just search. Find. Check out the new MSN Search! 
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/


--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support