On Aug 28, 2019 5:39 PM, Allan Streib <astr...@indiana.edu> wrote: > > Allan Streib <astr...@indiana.edu> writes: > > > I see that fstat -u _ldapd always ends at FD 119 when the hang occurs: > > > > [...] > > _ldapd ldapd 42641 117* internet stream tcp 0x0 172.29.202.69:389 > > <-- 172.29.200.108:47864 > > _ldapd ldapd 42641 118* internet stream tcp 0x0 172.29.202.69:389 > > <-- 172.29.200.104:56746 > > _ldapd ldapd 42641 119* internet stream tcp 0x0 172.29.202.69:389 > > <-- 172.29.200.106:40436 > > > > I tried the following: > > > > Gave _ldapd a login class of "ldap" > > > > Added to login.conf: > > > > ldap:\ > > :openfiles=512:\ > > :tc=daemon: > > > > restart ldapd. > > > > Still hangs with fstat output the same. > > OK I apparently misunderstand how login.conf works. I had assumed that > the above would give the "ldap" class an openfiles limit of 512 and > everything else as defined for the "daemon" class. My daemon entry > looked like this: > > daemon:\ > :ignorenologin:\ > :datasize=infinity:\ > :maxproc=infinity:\ > :openfiles-max=1024:\ > :openfiles-cur=128:\ > :stacksize-cur=8M:\ > :localcipher=blowfish,a:\ > :tc=default: > > However apprently the daemon class openfiles-cur=128 was being enforced; > I changed that to 512 as a test, restarted ldapd, and now fstat is > showing around 170 FDs for _ldapd and that seems to be where it's > stabilizing, and the hangs are not occuring. > > The login.conf man page says that tc "Interpolate/expands records from > corresponding login.conf. See getcap(3)." > > What I'm seeing seems to indicate it's working backwards from what the > "Override resource limits" comment indicates above the bgpd and unbound > classes, which I used as a model, but maybe I'm missing something? > > I include the entire login.conf below, with my current openfiles-cur > setting for the daemon class. > > Allan > > > > > > # $OpenBSD: login.conf,v 1.9 2017/02/06 18:11:33 sthen Exp $ > > # > # Sample login.conf file. See login.conf(5) for details. > # > > # > # Standard authentication styles: > # > # passwd Use only the local password file > # chpass Do not authenticate, but change users password (change > # the YP password if the user has one, else change the > # local password) > # lchpass Do not login; change user's local password instead > # radius Use radius authentication > # reject Use rejected authentication > # skey Use S/Key authentication > # activ ActivCard X9.9 token authentication > # crypto CRYPTOCard X9.9 token authentication > # snk Digital Pathways SecureNet Key authentication > # tis TIS Firewall Toolkit authentication > # token Generic X9.9 token authentication > # yubikey YubiKey authentication > # > > # Default allowed authentication styles > auth-defaults:auth=passwd,skey: > > # Default allowed authentication styles for authentication type ftp > auth-ftp-defaults:auth-ftp=passwd: > > # > # The default values > # To alter the default authentication types change the line: > # :tc=auth-defaults:\ > # to be read something like: (enables passwd, "myauth", and activ) > # :auth=passwd,myauth,activ:\ > # Any value changed in the daemon class should be reset in default > # class. > # > default:\ > :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin > /usr/local/sbin:\ > :umask=022:\ > :datasize-max=768M:\ > :datasize-cur=768M:\ > :maxproc-max=256:\ > :maxproc-cur=128:\ > :openfiles-max=1024:\ > :openfiles-cur=512:\ > :stacksize-cur=4M:\ > :localcipher=blowfish,a:\ > :tc=auth-defaults:\ > :tc=auth-ftp-defaults: > > # > # Settings used by /etc/rc and root > # This must be set properly for daemons started as root by inetd as well. > # Be sure reset these values back to system defaults in the default class! > # > daemon:\ > :ignorenologin:\ > :datasize=infinity:\ > :maxproc=infinity:\ > :openfiles-max=1024:\ > :openfiles-cur=512:\ > :stacksize-cur=8M:\ > :localcipher=blowfish,a:\ > :tc=default: > > # > # Staff have fewer restrictions and can login even when nologins are set. > # > staff:\ > :datasize-cur=1536M:\ > :datasize-max=infinity:\ > :maxproc-max=512:\ > :maxproc-cur=256:\ > :ignorenologin:\ > :requirehome@:\ > :tc=default: > > # > # Authpf accounts get a special motd and shell > # > authpf:\ > :welcome=/etc/motd.authpf:\ > :shell=/usr/sbin/authpf:\ > :tc=default: > > # > # Building ports with DPB uses raised limits > # > pbuild:\ > :datasize-max=infinity:\ > :datasize-cur=4096M:\ > :maxproc-max=1024:\ > :maxproc-cur=256:\ > :tc=default: > > # > # Override resource limits for certain daemons started by rc.d(8) > # > bgpd:\ > :openfiles=512:\ > :tc=daemon: > > unbound:\ > :openfiles=512:\ > :tc=daemon: > > ldap:\ > :openfiles=512:\ > :tc=daemon: >
May need to use rcctl to change it's class to ldap. Untested: rcctl set ldapd class ldap Edgar
