[K12OSN] LDAP timeout question

Sat Nov 17 18:06:06 UTC 2007

On Friday 16 November 2007 18:45, Rob Owens wrote:
> Very interesting.
>
> Is there a way to increase the open file limit on a per-user basis?
>
> -Rob
>

These are some of the comments from the top of the /etc/security/limits.conf 
file on K12LTSP5EL (CentOS 5):

#Each line describes a limit for a user in the form:
#
#<domain>        <type>  <item>  <value>
#
#Where:
#<domain> can be:
#        - an user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#        - the wildcard %, can be also used with %group syntax,
#                 for maxlogin limit
#

> On Fri, Nov 16, 2007 at 11:28:17AM -0500, Jim Kronebusch wrote:
> > Okay, it turns out that a default Edubuntu Feisty server with openldap
> > installed opens 16 files per every user logged in (I supposes "default"
> > isn't entirely accurate, I do have other apps installed such as
> > xterminator, fl_teachertool, LDM_DIRECTX=true, etc.). Each application
> > opened thereafter uses 1 more open file under the openldap user. These
> > files remain open for the openldap user until the user session is
> > terminated. So if one student logged on to every client in my network and
> > opened both Firefox and OpenOffice, openldap would have 18 files opened
> > per user across 108 clients.  Now this is the part I can figure out
> > easily, 108 users x 18 open files per user equals 1944 open file for the
> > openldap user.  The default open file limit per user under Edubuntu
> > feisty is 1024, so when the max users I can have even logged into the
> > server with no other open applications is 64.  After that the openldap
> > user is unable to open any more files, and as a result slapd returns the
> > error of too many files open.
> >
> > So from what I read, this can be solved one of two ways.  Either start
> > the slapd service under the root user (security problems here I think) or
> > change the amount of allowed open files per user in
> > /etc/security/limits.conf.
> >
> > So upon some detective work I have determined that my mail server usually
> > has 15 concurrent files open under openldap user, and my maximum expected
> > amount of open files with all 108 users logged in and two applications is
> > 1944, and a freshly rebooted server has about 50 open files for the
> > openldap user, I figured a limit of over 2000 should suffice.  I then
> > decided I never want to see this error again, so I set the following in
> > /etc/security/limits.conf:
> >
> > *               soft    nofile  4096
> > *               hard    nofile  4096
> >
> > This set the default for all users to a hard and soft limit of 4096 open
> > files.  Now I wait and see what happens.
> >
> > If this works, I think there is a huge flaw with the maximum open file
> > limit and the default configuration of OpenLDAP when used in a thin
> > client environment.
> >
> > I hope this can be fixed in the future with some sane defaults.  I'll
> > post back whether or not this is a permanent solution to my problems.
> >
> > Jim
> >
> > On Thu, 15 Nov 2007 11:50:05 -0500, Jim Kronebusch wrote
> >
> > > I am having problems with my user openldap running out of enough files
> > > when I have heavy use class period after class period.  I am trying to
> > > figure out the best way to increase the open file limit for the
> > > openldap user (so far increasing with /etc/security/limits.conf) and
> > > what a reasonable limit is. Any suggestions along these lines would be
> > > appreciated.
> > >
> > > But my real question is, what are the effects of implementing an
> > > idle_timeout in slapd.conf?  We have 50-75 users connecting at every
> > > class period. Throughout the day the open files for the openldap user
> > > start to build and don't drop off immediately after every class.  I'll
> > > quick state that the default for per user open files in Edubuntu seems
> > > to be 1024, and ldap stops responding when we hit this limit.  So I'm
> > > wondering if instead of increasing the open file limit, if I'm better
> > > off adding an idle_timeout
> > > (default is 0 which disables the timeout).  I am thinking of a timeout
> > > just a little longer than our average class period.  My understanding
> > > of the timeout is that an increased load could be placed on the ldap
> > > server, but other than that there should be no adverse affects.  I'm
> > > hoping this change would keep my amount of files from growing
> > > throughout the day.
> > >
> > > Thoughts?  If anyone wants to give me a better explanation of what is
> > > going on I wouldn't baulk at that either.
> > >
> > > Quick note, this is running Edubuntu 7.04 with LDM_DIRECTX=True, and
> > > the auth server is the same as the client server.  My server has been
> > > set up according to my instructions at
> > > http://www.1-cs.com/ubuntu_ldap_howto.txt.  I also have an email server
> > > authenticating off of the same box, but no more than 20 of the ldap
> > > files seem to be associated with the email server at one time.  There
> > > are about 500 users and 108 thin clients.  Concurrent users typically
> > > does not exceed 75.  I've never seen processor usage go above 25% and
> > > RAM usage over 6GB (16GB total available) even when 75 concurrent users
> > > are in Firefox/Flash/OpenOffice at the same time, so I think it is safe
> > > to say the server is not overloaded.  And I see no obvious slowdowns
> > > during this type of use.  And just to note the only error I have when
> > > this happens is the following in /var/log/syslog:
> > >
> > > Nov 15 08:19:10 ltsp slapd[27148]: warning: cannot open
> > > /etc/hosts.allow: Too many open files
> > > Nov 15 08:19:10 ltsp slapd[27148]: warning: cannot open
> > > /etc/hosts.deny: Too many open files
> > >
> > > Thanks,
> > >
> > > Jim Kronebusch
> > > Cotter Tech Department
> > > 453-5188
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by the Cotter Technology
> > > Department, and is believed to be clean.
> > >
> > > _______________________________________________
> > > K12OSN mailing list
> > > K12OSN at redhat.com
> > > https://www.redhat.com/mailman/listinfo/k12osn
> > > For more info see <http://www.k12os.org>
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by the Cotter Technology
> > > Department, and is believed to be clean.
> >
> > Jim Kronebusch
> > Cotter Tech Department
> > 453-5188
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by the Cotter Technology
> > Department, and is believed to be clean.
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>

-- 
        "History doesn't repeat itself; at best it rhymes."
                        - Mark Twain

| John Lucas                          MrJohnLucas at gmail.com               |
| St. Thomas, VI 00802                http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W                        AST (UTC-4)                         |