(Sorry for posting this message again, but it's better with a Subject)
OpenLDAP 2.4.44 under RHEL 7.1
I'm using back-ldap to proxy a back-mdb instance with 1K users. The
relevant part of the proxy configuration is
dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcSuffix: dc=example,dc=com
olcDbURI: "ldap://ldap-server.example.com:389/";
olcDbIDAssertBind: bindmethod=none
olcDbIDAssertAuthzFrom: {0}"*"
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
I'm using slamd for doing performance tests. According to the back-ldap man
page, sessions that explicitly Bind to the back-ldap database always create
their own private connection to the remote LDAP server. However, it seems
that the private connections are not reused for further BIND with the same
user since the available file descriptors (8192) on remote server are
quickly exhausted (recall that my LDAP server has only 1K users, BINDs with
slamd are performed randomly). The private connections are closed after the
remote LDAP server idletimeout (15mn), but remain stuck in a CLOSE_WAIT
status. Using the parameter
olcDbSingleConn: TRUE
improves the situation (the number of connections open on the remote server
and the proxy are more or less identical), but slapd logs show errors
2016-05-23T11:18:50.100499+02:00 proxy-ldap slapd-proxy_ldap[18402]:
conn=1419 op=7201 ldap_back_retry: retrying URI="ldap://
mirror.example.com:389" DN=""
2016-05-23T11:18:50.100542+02:00 proxy-ldap slapd-proxy_ldap[18402]:
conn=1419 op=7201 RESULT tag=97 err=52 text=Proxy operation retry failed
The encountred problem seems to be related to ITS#4387 (
http://www.openldap.org/its/index.cgi/Archive.Software%20Bugs?id=4387;selectid=4387;usearchives=1)
and ITS#4420 (
http://www.openldap.org/its/index.cgi/Archive.Incoming?id=4420;selectid=4420;usearchives=1
)
Do I have to file an ITS ?
