From owner-freebsd-questions@FreeBSD.ORG Thu Apr 7 08:41:14 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B46731065673 for ; Thu, 7 Apr 2011 08:41:14 +0000 (UTC) (envelope-from mkearney@nvita.org) Received: from squirrelserver.nvita.org (nvita.org [173.13.234.121]) by mx1.freebsd.org (Postfix) with ESMTP id 683818FC0A for ; Thu, 7 Apr 2011 08:41:14 +0000 (UTC) Received: from SQUIRRELSERVER.nvita.org ([192.168.0.3]) by SQUIRRELSERVER.nvita.org ([192.168.0.3]) with mapi; Thu, 7 Apr 2011 04:51:56 -0400 From: "Michael J. Kearney" To: "freebsd-questions@freebsd.org" Date: Thu, 7 Apr 2011 04:51:48 -0400 Thread-Topic: Optimizing pam_ldap and nss_ldap Thread-Index: Acv0795eopWZNQUVTYmF0Y61RoHlXAADkA/QAACfRJA= Message-ID: <0A2D7DF01CEBB144ACA1A79F588BD23904A11981A981@SQUIRRELSERVER.nvita.org> References: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: RE: Optimizing pam_ldap and nss_ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 08:41:14 -0000 Don't know ... I couldn't ever get pam_ldap to work. It was caught in a per= manent wait state. The ldap server NEVER replied. Computer Assistant Nvita.org 12400 Midsummer Ln, Suite 201A Woodbridge, VA 22192 Phone - (202) 455-9065 Web - http://www.nvita.org/free-shells.aspx -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@f= reebsd.org] On Behalf Of c0re Sent: Thursday, April 07, 2011 1:38 AM To: FreeBSD Subject: Optimizing pam_ldap and nss_ldap Hello freebsd users! I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers. OS - FreeBSD 8.1. It's not heavy loaded. openldap# top -SP last pid: 45647; load averages: 0.15, 0.15, 0.07 up 81+22:29:21 15:18:57 99 processes: 3 running, 80 sleeping, 16 waiting CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free Swap: 4060M Total, 8K Used, 4060M Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 11 root 2 171 ki31 0K 32K CPU0 0 3874.8 200.00% idle 4773 ldap 18 44 0 398M 53748K ucond 1 41.1H 0.00% slapd But on my servers sometimes I see in logs something like on FTP-server: Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable Authentication works fine, no problems. But want to find out what can be wrong. To understand this problem I installed ldap-stats utility and made it run: /var/log/debug.log - it's half day openldap server usage log. openldap# ldap-stats -c 1000 /var/log/debug.log Report Generated on Tue Apr 5 15:16:47 2011 -------------------------------------------- Processed "/var/log/debug.log": Apr 5 00:00:00 - Apr 5 15:17:33 Operation totals ---------------- Total operations : 913845 Total connections : 101226 Total authentication failures : 2 Total binds : 99700 Total unbinds : 99181 Total searches : 714964 Total compares : 7 Total modifications : 0 Total modrdns : 0 Total additions : 0 Total deletions : 0 Unindexed attribute requests : 0 Operations per connection : 9.03 # Uses Filter ---------- ----------------------------------------------------------- 615504 (&(objectClass=3DposixAccount)(uid=3Dmailer-daemon)) 90699 (&(objectClass=3DposixGroup)) 6833 (&(objectClass=3DposixAccount)(uid=3Droot)) 2236 (&(objectClass=3DposixAccount)(uid=3Dhiddenuser1)) 669 (&(objectClass=3DposixGroup)(memberUid=3Droot)) 318 (&(objectClass=3DposixAccount)(uid=3Dtestacc)) 87 (&(objectClass=3DposixGroup)(memberUid=3Dpostfix)) 87 (&(objectClass=3DposixAccount)(uid=3Dpostfix)) 81 (objectClass=3DposixAccount) 68 (&(objectClass=3DposixAccount)(uid=3Ddebian-exim)) 68 (&(objectClass=3DposixGroup)(memberUid=3DDebian-exim)) 39 (&(objectClass=3DposixAccount)(uid=3Dnormaluser)) 34 (&(objectClass=3DposixAccount)(uidNumber=3D7333)) 30 (&(objectClass=3DposixGroup)(memberUid=3Dhiddenuser1)) 29 (&(objectClass=3DposixGroup)(memberUid=3Dchelovek)) 29 (&(objectClass=3DposixAccount)(uid=3Dchelovek)) 27 (&(objectClass=3DposixAccount)(uid=3Duser0)) 23 (&(objectClass=3DposixAccount)(uid=3Dnobody)) 21 (&(objectClass=3DposixAccount)(uid=3Duser1)) 18 (&(objectClass=3DposixAccount)(uid=3Duser2)) 16 (&(objectClass=3DposixAccount)(uid=3Duser3)) 15 (&(objectClass=3DposixAccount)(uid=3Duser4)) 12 (&(objectClass=3DposixAccount)(uid=3Duser5)) 11 (&(objectClass=3DposixAccount)(uidNumber=3D7330)) 10 (&(objectClass=3DposixAccount)(uid=3Duser15)) 9 (&(objectClass=3DposixAccount)(uid=3Duser16)) 8 (&(objectClass=3DposixAccount)(uidNumber=3D7333)) 6 (&(objectClass=3DposixAccount)(uid=3Duser6)) 5 (&(objectClass=3DposixAccount)(uid=3Duser7)) 5 (cn=3Ddefaults) 4 (&(objectClass=3DposixAccount)(uidNumber=3D7228)) 4 (&(objectClass=3DshadowAccount)(uid=3Duser1)) 4 (&(objectClass=3DposixAccount)(uid=3Duser9)) 4 (&(objectClass=3DposixAccount)(uid=3Duser10)) 4 (&(objectClass=3DposixAccount)(uid=3Duser11)) 3 (&(objectClass=3DposixAccount)(uid=3Duser12)) 3 (&(objectClass=3DposixAccount)(uid=3Duser13)) 3 (&(objectClass=3DposixAccount)(uid=3Duser14)) ............... and MANY others that has 1 use in this stats. I think this many queries from mail relay server. * user1 and etc - users that relayed, like "user1@domain.com" in "rcpt to" field in email at mail-relay. What can I do to tune nss? Can you point me in a right direction? There's too many not needed nss requests to ldap (when email recieved and then relayed somewhere). Do not know what to look at. If you need any additional information, logs and etc - I'll provide it. Thanks in advance! _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org= "