From owner-freebsd-questions@FreeBSD.ORG Thu Apr 7 06:38:01 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16E5C106564A for ; Thu, 7 Apr 2011 06:38:01 +0000 (UTC) (envelope-from nr1c0re@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id D4F668FC0C for ; Thu, 7 Apr 2011 06:38:00 +0000 (UTC) Received: by iwn33 with SMTP id 33so2592998iwn.13 for ; Wed, 06 Apr 2011 23:38:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=G8ap/ANyZYhcKKhjcOa/J5YD86xMePdiZuquE2Xxzd0=; b=MZ/LLmF7RucvLpPqk+d3EIwz0GCRXVOocYkvQs+Vb08uWDT/I1oI6WUc31wfJyGqPQ KZBBLnSFxGVo0eJtjk8cKq+FBFbLoT37C1CJzoGgDXsOrNgOdbMn2i8tfgpmA/fwNKfH G2KoqblzJgr4nJfXM1Um8B2N0ma+4cxRFvI2Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=dnVOIzhzCEAKirkO03a9fwo4SzJExgXoIUDg5mwMNTP1fy2rZIPcBOBFtWigDoc4xB wAZ7/YrT8PqYv/RY79pAHZPtaElq+ISXT4/xUn+4pz0YQHrRRgCbc8CqzK0Vf7+tpzGA d6Wv+EilSyv8nEmvbUsAa+vjRSXOHQnzYdZGk= MIME-Version: 1.0 Received: by 10.43.56.73 with SMTP id wb9mr909673icb.137.1302158280043; Wed, 06 Apr 2011 23:38:00 -0700 (PDT) Received: by 10.231.14.196 with HTTP; Wed, 6 Apr 2011 23:38:00 -0700 (PDT) Date: Thu, 7 Apr 2011 10:38:00 +0400 Message-ID: From: c0re To: FreeBSD Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Optimizing pam_ldap and nss_ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 06:38:01 -0000 Hello freebsd users! I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers. OS - FreeBSD 8.1. It's not heavy loaded. openldap# top -SP last pid: 45647; load averages: 0.15, 0.15, 0.07 up 81+22:29:21 15:18:57 99 processes: 3 running, 80 sleeping, 16 waiting CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free Swap: 4060M Total, 8K Used, 4060M Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 11 root 2 171 ki31 0K 32K CPU0 0 3874.8 200.00% idle 4773 ldap 18 44 0 398M 53748K ucond 1 41.1H 0.00% slapd But on my servers sometimes I see in logs something like on FTP-server: Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable Authentication works fine, no problems. But want to find out what can be wrong. To understand this problem I installed ldap-stats utility and made it run: /var/log/debug.log - it's half day openldap server usage log. openldap# ldap-stats -c 1000 /var/log/debug.log Report Generated on Tue Apr 5 15:16:47 2011 -------------------------------------------- Processed "/var/log/debug.log": Apr 5 00:00:00 - Apr 5 15:17:33 Operation totals ---------------- Total operations : 913845 Total connections : 101226 Total authentication failures : 2 Total binds : 99700 Total unbinds : 99181 Total searches : 714964 Total compares : 7 Total modifications : 0 Total modrdns : 0 Total additions : 0 Total deletions : 0 Unindexed attribute requests : 0 Operations per connection : 9.03 # Uses Filter ---------- ----------------------------------------------------------- 615504 (&(objectClass=posixAccount)(uid=mailer-daemon)) 90699 (&(objectClass=posixGroup)) 6833 (&(objectClass=posixAccount)(uid=root)) 2236 (&(objectClass=posixAccount)(uid=hiddenuser1)) 669 (&(objectClass=posixGroup)(memberUid=root)) 318 (&(objectClass=posixAccount)(uid=testacc)) 87 (&(objectClass=posixGroup)(memberUid=postfix)) 87 (&(objectClass=posixAccount)(uid=postfix)) 81 (objectClass=posixAccount) 68 (&(objectClass=posixAccount)(uid=debian-exim)) 68 (&(objectClass=posixGroup)(memberUid=Debian-exim)) 39 (&(objectClass=posixAccount)(uid=normaluser)) 34 (&(objectClass=posixAccount)(uidNumber=7333)) 30 (&(objectClass=posixGroup)(memberUid=hiddenuser1)) 29 (&(objectClass=posixGroup)(memberUid=chelovek)) 29 (&(objectClass=posixAccount)(uid=chelovek)) 27 (&(objectClass=posixAccount)(uid=user0)) 23 (&(objectClass=posixAccount)(uid=nobody)) 21 (&(objectClass=posixAccount)(uid=user1)) 18 (&(objectClass=posixAccount)(uid=user2)) 16 (&(objectClass=posixAccount)(uid=user3)) 15 (&(objectClass=posixAccount)(uid=user4)) 12 (&(objectClass=posixAccount)(uid=user5)) 11 (&(objectClass=posixAccount)(uidNumber=7330)) 10 (&(objectClass=posixAccount)(uid=user15)) 9 (&(objectClass=posixAccount)(uid=user16)) 8 (&(objectClass=posixAccount)(uidNumber=7333)) 6 (&(objectClass=posixAccount)(uid=user6)) 5 (&(objectClass=posixAccount)(uid=user7)) 5 (cn=defaults) 4 (&(objectClass=posixAccount)(uidNumber=7228)) 4 (&(objectClass=shadowAccount)(uid=user1)) 4 (&(objectClass=posixAccount)(uid=user9)) 4 (&(objectClass=posixAccount)(uid=user10)) 4 (&(objectClass=posixAccount)(uid=user11)) 3 (&(objectClass=posixAccount)(uid=user12)) 3 (&(objectClass=posixAccount)(uid=user13)) 3 (&(objectClass=posixAccount)(uid=user14)) ............... and MANY others that has 1 use in this stats. I think this many queries from mail relay server. * user1 and etc - users that relayed, like "user1@domain.com" in "rcpt to" field in email at mail-relay. What can I do to tune nss? Can you point me in a right direction? There's too many not needed nss requests to ldap (when email recieved and then relayed somewhere). Do not know what to look at. If you need any additional information, logs and etc - I'll provide it. Thanks in advance!