nsswitch/openldap connection optimization

Matthew Carpenter mcarpenter
Wed May 9 16:23:37 PDT 2007 

On Tuesday 17 April 2007, Bill Campbell wrote:
> On Tue, Apr 17, 2007, David Bandel wrote:
> >On 4/17/07, Bill Campbell <linux-sxs at celestial.com> wrote:
> >>I'm looking for information on performance optimization when
> >>using openldap authentication with nsswitch.  In particular,
> >>limiting the number of connections to the openldap server(s)
> >>when there are large numbers of authentication requests.
> >>
> >>We're doing this on a cluster of SLES9 and SLES10 boxes which
> >>deliver e-mail to about 10,000 e-mail accounts and perhaps 7,500
> >>messages per hour per server.
> >>
> >>The problem is that each server in the cluster tends to have
> >>several hundred connections open to the openldap server which
> >>occassionally has problems with ``too many open files''.
> >>
> >>The only thing I've found so far refers to the nscd caching
> >>daemon.  This morning I increased the ``suggested-size'' for
> >>passwd to 9701 from 211 (prime numbers) on the cluster machines
> >>in hopes that doing this would limit the number of requests to
> >>the server.  It will take a while to see if this has the desired
> >>effect, or whether I have to dig deeper.
> >
> >The nscd is a name server caching daemon.  This doesn't sound like a
> >DNS caching issue (although I always make mail machines at least
> >caching DNS servers due to the large number of MX and A -- and in the
> >case of clueless morons, CNAME -- requests they can generate).
>
> Looking at the documentation I've found on the 'Net, nscd can
> nameservice and general NIS services.  One article suggested
> turning off the DNS caching which makes sense to me (we turn off
> nscd on machines that aren't doing nsswitch LDAP authentication).
>
> We're running dnscache from djbdns on all the cluster machines,
> and I've never had any problems with it.
>
> >Sounds like you need to have the mail servers run as LDAP secondaries
> >or slaves and let the mail systems look to their own LDAP slave (which
> >should only have to refresh on occasion).
>
> I have tried various secondary/slave implementations, but there
> were some wierd issues with that, one of which was that slapd
> would create really huge slurpd files on startup.
>
> It appears that increasing the cache size in the nscd.conf file
> may have helped.

Actually, meinen freunden, NSCD is the "NAME SERVICES CACHING DAEMON".  *Not* 
the DNS caching daemon.  NSSWITCH is the NAME SERVICES SWITCH.

You are not talking about an LDAP Authentication problem (well, the end result 
is a problem with LDAP which hurts authentication) but a name lookup problem.  
Any Authentication mechanism you introduce into an OS has at least two parts 
(hopefully three):
* Authentication
* Authorization ( Hopefully )
* Name Resolution (ie. User 1000 is really "matt")

NSCD can be turned on or off for basically any of the NSSWITCH name resolver 
types.  That is why your config change helped.

(quite frankly, I'm surprised David didn't say the same thing, but I guess 
even David deserves a day off of being Mr. Incredible)

Sorry to post so late on this one...


-- 
Matthew Carpenter
mcarpenter at intelguardians.com
http://www.intelguardians.com

PGP Fingerprint: 
87EB 54A8 FB42 0A0E B8AE CDA7 FF99 2A64 E70F 4466
hkp://wwwkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20070509/d439440b/attachment.pgp

More information about the Linux-users mailing list