[K12OSN] LDAP timeout question

Jim Kronebusch jim at winonacotter.org
Mon Nov 19 15:25:39 UTC 2007


Yes, replace the * with your user such as openldap.  Only reason I went with * for now
is I needed to know it would work on reboot.  I tried making the change on the fly and
restarting slapd and it didn't work.  Later I'll try with specifying only openldap and
make sure that works.

Jim

On Fri, 16 Nov 2007 17:45:10 -0500, Rob Owens wrote
> Very interesting.
> 
> Is there a way to increase the open file limit on a per-user basis?
> 
> -Rob
> 
> On Fri, Nov 16, 2007 at 11:28:17AM -0500, Jim Kronebusch wrote:
> > Okay, it turns out that a default Edubuntu Feisty server with openldap installed opens
> > 16 files per every user logged in (I supposes "default" isn't entirely accurate, I do
> > have other apps installed such as xterminator, fl_teachertool, LDM_DIRECTX=true, etc.).
> >  Each application opened thereafter uses 1 more open file under the openldap user. 
> > These files remain open for the openldap user until the user session is terminated. So
> > if one student logged on to every client in my network and opened both Firefox and
> > OpenOffice, openldap would have 18 files opened per user across 108 clients.  Now this
> > is the part I can figure out easily, 108 users x 18 open files per user equals 1944 open
> > file for the openldap user.  The default open file limit per user under Edubuntu feisty
> > is 1024, so when the max users I can have even logged into the server with no other open
> > applications is 64.  After that the openldap user is unable to open any more files, and
> > as a result slapd returns the error of too many files open.
> > 
> > So from what I read, this can be solved one of two ways.  Either start the slapd service
> > under the root user (security problems here I think) or change the amount of allowed
> > open files per user in /etc/security/limits.conf.
> > 
> > So upon some detective work I have determined that my mail server usually has 15
> > concurrent files open under openldap user, and my maximum expected amount of open files
> > with all 108 users logged in and two applications is 1944, and a freshly rebooted server
> > has about 50 open files for the openldap user, I figured a limit of over 2000 should
> > suffice.  I then decided I never want to see this error again, so I set the following in
> > /etc/security/limits.conf:
> > 
> > *               soft    nofile  4096
> > *               hard    nofile  4096
> > 
> > This set the default for all users to a hard and soft limit of 4096 open files.  Now I
> > wait and see what happens.
> > 
> > If this works, I think there is a huge flaw with the maximum open file limit and the
> > default configuration of OpenLDAP when used in a thin client environment.
> > 
> > I hope this can be fixed in the future with some sane defaults.  I'll post back whether
> > or not this is a permanent solution to my problems.
> > 
> > Jim
> > 
> > On Thu, 15 Nov 2007 11:50:05 -0500, Jim Kronebusch wrote
> > > I am having problems with my user openldap running out of enough files when I 
> > > have heavy use class period after class period.  I am trying to figure out the 
> > > best way to increase the open file limit for the openldap user (so far 
> > > increasing with /etc/security/limits.conf) and what a reasonable limit is. 
> > >  Any suggestions along these lines would be appreciated.
> > > 
> > > But my real question is, what are the effects of implementing an idle_timeout 
> > > in slapd.conf?  We have 50-75 users connecting at every class period.  
> > > Throughout the day the open files for the openldap user start to build and 
> > > don't drop off immediately after every class.  I'll quick state that the 
> > > default for per user open files in Edubuntu seems to be 1024, and ldap stops 
> > > responding when we hit this limit.  So I'm wondering if instead of increasing 
> > > the open file limit, if I'm better off adding an idle_timeout
> > > (default is 0 which disables the timeout).  I am thinking of a timeout just a little
> > > longer than our average class period.  My understanding of the timeout is that 
> > > an increased load could be placed on the ldap server, but other than that 
> > > there should be no adverse affects.  I'm hoping this change would keep my 
> > > amount of files from growing throughout the day.
> > > 
> > > Thoughts?  If anyone wants to give me a better explanation of what is going on 
> > > I wouldn't baulk at that either.
> > > 
> > > Quick note, this is running Edubuntu 7.04 with LDM_DIRECTX=True, and the auth 
> > > server is the same as the client server.  My server has been set up according 
> > > to my instructions at http://www.1-cs.com/ubuntu_ldap_howto.txt.  I also have 
> > > an email server authenticating off of the same box, but no more than 20 of the 
> > > ldap files seem to be associated with the email server at one time.  There are 
> > > about 500 users and 108 thin clients.  Concurrent users typically does not 
> > > exceed 75.  I've never seen processor usage go above 25% and RAM usage over 
> > > 6GB (16GB total available) even when 75 concurrent users are in 
> > > Firefox/Flash/OpenOffice at the same time, so I think it is safe to say the 
> > > server is not overloaded.  And I see no obvious slowdowns during this type of 
> > > use.  And just to note the only error I have when this happens is the 
> > > following in /var/log/syslog:
> > > 
> > > Nov 15 08:19:10 ltsp slapd[27148]: warning: cannot open /etc/hosts.allow: Too 
> > > many open files
> > > Nov 15 08:19:10 ltsp slapd[27148]: warning: cannot open /etc/hosts.deny: Too 
> > > many open files
> > > 
> > > Thanks,
> > > 
> > > Jim Kronebusch
> > > Cotter Tech Department
> > > 453-5188
> > > 
> > > -- 
> > > This message has been scanned for viruses and
> > > dangerous content by the Cotter Technology 
> > > Department, and is believed to be clean.
> > > 
> > > _______________________________________________
> > > K12OSN mailing list
> > > K12OSN at redhat.com
> > > https://www.redhat.com/mailman/listinfo/k12osn
> > > For more info see <http://www.k12os.org>
> > > 
> > > -- 
> > > This message has been scanned for viruses and
> > > dangerous content by the Cotter Technology 
> > > Department, and is believed to be clean.
> > 
> > 
> > Jim Kronebusch
> > Cotter Tech Department
> > 453-5188
> > 
> > 
> > -- 
> > This message has been scanned for viruses and
> > dangerous content by the Cotter Technology 
> > Department, and is believed to be clean.
> > 
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by the Cotter Technology 
> Department, and is believed to be clean.


Jim Kronebusch
Cotter Tech Department
453-5188


-- 
This message has been scanned for viruses and
dangerous content by the Cotter Technology 
Department, and is believed to be clean.




More information about the K12OSN mailing list