We've been gradually turning all our productions authentication and
authorization services over to OpenLDAP. Using OpenLDAP-2.1.12 on a
RedHat 7.2 machine. The hardware is 1 Gh/s processor with 512MB RAM.
Using Adaptec SCSI host adapters on RAID5. Using an INTEL PRO/100 Fast
Ethernet Adapter.
The total number of BIND operations logged on the ldap server is a little
over 3 per second. These operations represent authentication requests
from radius and attribute checking from our mail servers (correlating
usernames to home directories and permissions and mail quotas).
However, we are experiencing events in our ldap logs that report only
"deferring operation" from slapd. These occur roughly once every three
seconds all the time. Now we are ready to turn up our POP servers to
authenticate against our ldap server. But when we do that we get the
following errors out of our (Solaris 9) mail (POP3) servers:
"/var/adm/messages:
Mar 3 12:10:09 mail3 nscd[3874]: [ID 293258 user.error] libsldap:
Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDAP
server
/var/adm/messages
Mar 3 12:10:15 mail3 nscd[3874]: [ID 293258 user.error] libsldap:
Status: 7 Mesg: LDAP ERROR (89): Bad parameter to an ldap routine."
These errors start slowly and become more and more frequent until, after
5 or so minutes, the POP server quits working altogether.
Our slapd server is running the maximum number of threads (36) all the
time. I notice that the connections between the mail servers and the
ldap server are reopening for each operation - probably not the most
efficient way of doing things but this is imbedded in Solaris (specifying
'ldap' in nsswitch.conf).
Any tips or suggestions about the cause of this apparent performance
problem. What, exactly, does the "deferring operation" message from
slapd mean? Certainly, I would think, there are those of you out there
who are hammering your slapd servers much harder than we are without
issue, correct?