Hi,
This is a long shot, but worth it.
We are using the BEA WebLogic LDAPv2 Realm, which is implemented using
the Netscape Java SDK. In order to protect passwords that are sent over
the wire in BIND operations, we've elected to use SSL. The problem is,
after a somewhat consistent amount of activity (15-20k queries), the
LDAP server hangs completely (iDS 5.1sp1 on Solaris 8). The process is
still running, and you can connect to it both cleartext and via SSL, but
it refuses to answer queries (even cn=monitor/cn=config type queries),
and you must kill -9 it.
Obviously, the first thought isn't the Java SDK, but in a process of
elimination, we've tested with various variables removed. So far, the
only thing that has allowed us to continue running without hanging the
service is to turn SSL off in the WebLogic realm configuration.
I would think this is purely a problem with SSL on iDS, but at the same
time, we have another client (using the Netscape C SDK) making 10-15
times as many requests over SSL, with no problems. I would point at
BEA, but the WebLogic realm implementation appears to be quite
pedestrian, and there isn't anything that it's doing that should be able
to hang iDS (authenticating users via simple bind and looking for group
membership)
Right as the LDAP server hangs, the last thing we see is a
'slapd_poll(fd) timeout' (where fd = file descriptor of BEA realm
socket) and in the access log, the realm disconnects.
We are using OpenSSL generated certs on iDS.
Anyone have thoughts on this one? Support hasn't been terribly
effective so far.
Thanks
Bob
