On 5 Apr 2011 16:11, "c0re" <nr1c0re@gmail.com> wrote:
>
> nss_ldap.conf:
>
> timelimit 10
> bind_timelimit 5
> bind_policy soft
> nss_connect_policy oneshot
>
> I think every mail that come through my mail relay ask openldap about nss... How can I workaround this?
>
> 2011/4/5 Marco Pizzoli <marco.pizzoli@gmail.com>
>>
>> ---------- Forwarded message ----------
>> From: "Marco Pizzoli" <marco.pizzoli@gmail.com>
>> Date: 5 Apr 2011 14:29
>> Subject: Re: Tuning openldap, nss_ldap and pam_ldap
>> To: "c0re" <nr1c0re@gmail.com>
>>
>> Hi,
>> If it was the same problem that I had some time ago, it was due to idle connections that I gold slapd to close after x seconds.
>> Check yours, and eventually set a keep alive parameter on your client, nss_ldap.
>>
>> Regards
>> Marco
>>
>> On 5 Apr 2011 13:44, "c0re" <nr1c0re@gmail.com> wrote:
>> >
>> > Hello openldap users!
>> >
>> > I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers.
>> > OS - FreeBSD 8.1.
>> >
>> > It's not heavy loaded.
>> >
>> > openldap# top -SP
>> > last pid: 45647; load averages: 0.15, 0.15, 0.07 up 81+22:29:21 15:18:57
>> > 99 processes: 3 running, 80 sleeping, 16 waiting
>> > CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle
>> > CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle
>> > Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free
>> > Swap: 4060M Total, 8K Used, 4060M Free
>> >
>> > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
>> > 11 root 2 171 ki31 0K 32K CPU0 0 3874.8 200.00% idle
>> > 4773 ldap 18 44 0 398M 53748K ucond 1 41.1H 0.00% slapd
>> >
>> > But on my servers sometimes I see in logs something like
>> >
>> > on FTP-server:
>> > Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable
>> >
>> > Authentication works fine, no problems. But want to find out what can be wrong.
>> >
>> > To understand this problem I installed ldap-stats utility and made it run:
>> >
>> > /var/log/debug.log - it's half day openldap server usage log.
>> >
>> > openldap# ldap-stats -c 1000 /var/log/debug.log
>> >
>> >
>> > Report Generated on Tue Apr 5 15:16:47 2011
>> > --------------------------------------------
>> > Processed "/var/log/debug.log": Apr 5 00:00:00 - Apr 5 15:17:33
>> >
>> >
>> > Operation totals
>> > ----------------
>> > Total operations : 913845
>> > Total connections : 101226
>> > Total authentication failures : 2
>> > Total binds : 99700
>> > Total unbinds : 99181
>> > Total searches : 714964
>> > Total compares : 7
>> > Total modifications : 0
>> > Total modrdns : 0
>> > Total additions : 0
>> > Total deletions : 0
>> > Unindexed attribute requests : 0
>> > Operations per connection : 9.03
>> >
>> >
>> > # Uses Filter
>> > ---------- -----------------------------------------------------------
>> > 615504 (&(objectClass=posixAccount)(uid=mailer-daemon))
>> > 90699 (&(objectClass=posixGroup))
>> > 6833 (&(objectClass=posixAccount)(uid=root))
>> > 2236 (&(objectClass=posixAccount)(uid=hiddenuser1))
>> > 669 (&(objectClass=posixGroup)(memberUid=root))
>> > 318 (&(objectClass=posixAccount)(uid=testacc))
>> > 87 (&(objectClass=posixGroup)(memberUid=postfix))
>> > 87 (&(objectClass=posixAccount)(uid=postfix))
>> > 81 (objectClass=posixAccount)
>> > 68 (&(objectClass=posixAccount)(uid=debian-exim))
>> > 68 (&(objectClass=posixGroup)(memberUid=Debian-exim))
>> > 39 (&(objectClass=posixAccount)(uid=normaluser))
>> > 34 (&(objectClass=posixAccount)(uidNumber=7333))
>> > 30 (&(objectClass=posixGroup)(memberUid=hiddenuser1))
>> > 29 (&(objectClass=posixGroup)(memberUid=chelovek))
>> > 29 (&(objectClass=posixAccount)(uid=chelovek))
>> > 27 (&(objectClass=posixAccount)(uid=user0))
>> > 23 (&(objectClass=posixAccount)(uid=nobody))
>> > 21 (&(objectClass=posixAccount)(uid=user1))
>> > 18 (&(objectClass=posixAccount)(uid=user2))
>> > 16 (&(objectClass=posixAccount)(uid=user3))
>> > 15 (&(objectClass=posixAccount)(uid=user4))
>> > 12 (&(objectClass=posixAccount)(uid=user5))
>> > 11 (&(objectClass=posixAccount)(uidNumber=7330))
>> > 10 (&(objectClass=posixAccount)(uid=user15))
>> > 9 (&(objectClass=posixAccount)(uid=user16))
>> > 8 (&(objectClass=posixAccount)(uidNumber=7333))
>> > 6 (&(objectClass=posixAccount)(uid=user6))
>> > 5 (&(objectClass=posixAccount)(uid=user7))
>> > 5 (cn=defaults)
>> > 4 (&(objectClass=posixAccount)(uidNumber=7228))
>> > 4 (&(objectClass=shadowAccount)(uid=user1))
>> > 4 (&(objectClass=posixAccount)(uid=user9))
>> > 4 (&(objectClass=posixAccount)(uid=user10))
>> > 4 (&(objectClass=posixAccount)(uid=user11))
>> > 3 (&(objectClass=posixAccount)(uid=user12))
>> > 3 (&(objectClass=posixAccount)(uid=user13))
>> > 3 (&(objectClass=posixAccount)(uid=user14))
>> > ...............
>> > and MANY others that has 1 use in this stats.
>> > I think this many queries from mail relay server.
>> > * user1 and etc - just hidden real users.
>> >
>> > What can I do to tune nss? Can you point me in a right direction? Do not know what to look at.
>> > If you need any additional information, logs and etc - I'll provide it.
>> >
>> > Thanks in advance!
>> >
>
>
Have you got pam_ldap.conf configured?
If so, what are the corresponding configurations related to ldap server connections?