Date: Thu, 7 Apr 2011 10:38:00 +0400 From: c0re <nr1c0re@gmail.com> To: FreeBSD <freebsd-questions@freebsd.org> Subject: Optimizing pam_ldap and nss_ldap Message-ID: <BANLkTikA-OWK2B8rpPhSuMMX=ajnx3_KEw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello freebsd users! I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers. OS - FreeBSD 8.1. It's not heavy loaded. openldap# top -SP last pid: 45647; load averages: 0.15, 0.15, 0.07 up 81+22:29:21 15:18:57 99 processes: 3 running, 80 sleeping, 16 waiting CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free Swap: 4060M Total, 8K Used, 4060M Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 11 root 2 171 ki31 0K 32K CPU0 0 3874.8 200.00% idle 4773 ldap 18 44 0 398M 53748K ucond 1 41.1H 0.00% slapd But on my servers sometimes I see in logs something like on FTP-server: Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable Authentication works fine, no problems. But want to find out what can be wrong. To understand this problem I installed ldap-stats utility and made it run: /var/log/debug.log - it's half day openldap server usage log. openldap# ldap-stats -c 1000 /var/log/debug.log Report Generated on Tue Apr 5 15:16:47 2011 -------------------------------------------- Processed "/var/log/debug.log": Apr 5 00:00:00 - Apr 5 15:17:33 Operation totals ---------------- Total operations : 913845 Total connections : 101226 Total authentication failures : 2 Total binds : 99700 Total unbinds : 99181 Total searches : 714964 Total compares : 7 Total modifications : 0 Total modrdns : 0 Total additions : 0 Total deletions : 0 Unindexed attribute requests : 0 Operations per connection : 9.03 # Uses Filter ---------- ----------------------------------------------------------- 615504 (&(objectClass=posixAccount)(uid=mailer-daemon)) 90699 (&(objectClass=posixGroup)) 6833 (&(objectClass=posixAccount)(uid=root)) 2236 (&(objectClass=posixAccount)(uid=hiddenuser1)) 669 (&(objectClass=posixGroup)(memberUid=root)) 318 (&(objectClass=posixAccount)(uid=testacc)) 87 (&(objectClass=posixGroup)(memberUid=postfix)) 87 (&(objectClass=posixAccount)(uid=postfix)) 81 (objectClass=posixAccount) 68 (&(objectClass=posixAccount)(uid=debian-exim)) 68 (&(objectClass=posixGroup)(memberUid=Debian-exim)) 39 (&(objectClass=posixAccount)(uid=normaluser)) 34 (&(objectClass=posixAccount)(uidNumber=7333)) 30 (&(objectClass=posixGroup)(memberUid=hiddenuser1)) 29 (&(objectClass=posixGroup)(memberUid=chelovek)) 29 (&(objectClass=posixAccount)(uid=chelovek)) 27 (&(objectClass=posixAccount)(uid=user0)) 23 (&(objectClass=posixAccount)(uid=nobody)) 21 (&(objectClass=posixAccount)(uid=user1)) 18 (&(objectClass=posixAccount)(uid=user2)) 16 (&(objectClass=posixAccount)(uid=user3)) 15 (&(objectClass=posixAccount)(uid=user4)) 12 (&(objectClass=posixAccount)(uid=user5)) 11 (&(objectClass=posixAccount)(uidNumber=7330)) 10 (&(objectClass=posixAccount)(uid=user15)) 9 (&(objectClass=posixAccount)(uid=user16)) 8 (&(objectClass=posixAccount)(uidNumber=7333)) 6 (&(objectClass=posixAccount)(uid=user6)) 5 (&(objectClass=posixAccount)(uid=user7)) 5 (cn=defaults) 4 (&(objectClass=posixAccount)(uidNumber=7228)) 4 (&(objectClass=shadowAccount)(uid=user1)) 4 (&(objectClass=posixAccount)(uid=user9)) 4 (&(objectClass=posixAccount)(uid=user10)) 4 (&(objectClass=posixAccount)(uid=user11)) 3 (&(objectClass=posixAccount)(uid=user12)) 3 (&(objectClass=posixAccount)(uid=user13)) 3 (&(objectClass=posixAccount)(uid=user14)) ............... and MANY others that has 1 use in this stats. I think this many queries from mail relay server. * user1 and etc - users that relayed, like "user1@domain.com" in "rcpt to" field in email at mail-relay. What can I do to tune nss? Can you point me in a right direction? There's too many not needed nss requests to ldap (when email recieved and then relayed somewhere). Do not know what to look at. If you need any additional information, logs and etc - I'll provide it. Thanks in advance!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTikA-OWK2B8rpPhSuMMX=ajnx3_KEw>