In users Digest Issue 3741 (21 Dec 2009 15:54:32 -0000), Thomas Scheider wrote:
> [problems with LDAP authentication on 10.6.2] > After 5000+ SSL requests, users begin to be denied log-in to the web > site. In the Apache error_log the following is written: > > [Mon Dec 21 09:14:23 2009] [info] Initial (No.1) HTTPS request received for > child 6 (server 172.25.2.99:443) > could not lookup DNS configuration info service: (ipc/send) invalid > destination port > [...] > On the same server I have a ProFTPD running which also does log-in > verification against the LDAP server and retrieves varios information > about the user. The program runs into the same problems, ie. the "could > not lookup ..." begins to appear in the itøs log file, and users are > refused access to the FTP server. > [...] This would imply that the problem lies not with Apache, but with either the LDAP server or OS 10.6.2 (which is, I assume, the OS on which the Apache and ProFTPd applications are running). > The messages "could not lookup .." does not begin to appear at the same > time in the logfiles. The apache may be running fine, while the FTP server > is rejecting users, and wise versa. I'd suspect that the connections to the LDAP server are not being "cleaned up", and once the application reaches it's per-process file descriptor limit it is being denied its request to open another network connection (i.e., allocate another file descriptor). Check the output of: lsof -nPi | grep ":389" (NOTE: You must execute this as "root" in order to see _all_ the connections) This should show you all the current connections to the LDAP server, which application/process is "controlling" that connection, and the current connection state. You might also check the system.log; there may be entries in there if the LDAP connection requests ARE being rejected due to the filedescriptor limit. What to do next depends on: a) Whether my theory is correct; and, b) What state the connections are "hung" in. Regards, Michael A. Pasek --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [email protected] " from the digest: [email protected] For additional commands, e-mail: [email protected]
