[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OD master LDAP instability

Subject: Re: OD master LDAP instability
From: Matt Richard <email@hidden>
Date: Mon, 31 Jan 2005 08:56:34 -0500
Delivered-to: email@hidden
Delivered-to: email@hidden

I have run 2.1 in the past, and by itself it is perfectly stable. The problem points are where Apple integrates OpenLDAP with OD code and Password Server. I have seen similar crashes, but only on dual-cpu servers.

There is also a problem with the way OD clients pick the replica they want to use. From my experience it seems like the clients grab the information from cn=ldapreplicas,cn=config,dc=example,dc=edu which has a list of all the valid OD servers. After that the client starts using the first server in the list, which is the OD master. If the OD master is unavailable, the clients will switch to another replica.

There is also a problem with LDAP clients using cleartext (or simple) authentication. Sometimes the slapd process hangs with 100% cpu. Sometimes slapd incorrectly denies an authentication request. I'd look to see if the Redhat clients are using simple authentication or if they are able to do SASL LDAP binds for authentication.

I'm sure Apple is working on these problems, but I suggest you tell Apple about them yourself, if you hope to get them fixed. I'd suggest opening a case or submitting a bug through the Developer site.

-Matt

At 10:37 AM +0000 1/31/05, Richard Pride wrote:

As far as I have been informed (please correct me if I'm wrong) but there is an issue with the version of OpenLDAP that Apple ships in the server software...They use 2.1 which is allegedly buggy compared to 2.2 which is the accepted stable series..

I had an issue with an OD master which kept crashing out, I had around 150 10.3 Macs, and somewhere in the region of 350 Red Hat clients authenticating off it

So we moved on to plan v2.0, we created an OD replica for the RedHat boys incase it was being caused by network issues between buildings on campus.. The same thing happened to the OD replica, CPU use went through the roof and the machine would hang.. The cause seemed to tie in when users first logged in a lecture and there was a large amounts of passwords being change.

We ended up ditching the RH boxes authenticating off the server and et voila the CPU issues ceased..
Does anyone else have similar experiences?
On 31 Jan 2005, at 10:20, Matt Jenns wrote:
Hi all,
Have a customer with around 300+ 10.3.7 clients connected to an OD. I set it up three weeks ago and they've been slowly adding machines into the system. The master (dual G4 Xserve, 10.3.7) has in the last week had a series of slapd crashes (two or three a day, seemingly load related). The log shows that the crashed thread seems to have something to do with password server eg:
Thread 3 Crashed:
0   <<00000000>>        0xffff8acc __memcpy + 0x32c
1   libpscrammd5.2.so           0x001c2d54 cr_getsecret + 0x80
2   libsasl2.2.0.1.dylib        0x9450db5c _plug_get_password + 0x138
3   libpscrammd5.2.so           0x001c4f88 crammd5_server_plug_init + 0x318
4   libsasl2.2.0.1.dylib        0x94507b80 sasl_client_step + 0xf8
5   libpscrammd5.2.so           0x001c39b0 DoSASLAuth + 0x1fc
6   libpscrammd5.2.so           0x001c41a0 DoPSCRAMMD5Auth + 0x298
7   libpscrammd5.2.so           0x001c48a4 DoPSCRAMMD5Auth + 0x99c
8   libsasl2.2.0.1.dylib        0x945034f8 sasl_server_step + 0x100
I'm hoping it's just a load issue, but the two main AFP servers (dual G5 Xserves, 10.3.7) are both OD replicas, yet hardly any client ever seems to use them. If i look at all three boxes' LDAP connections right now, for example, i get this:
[master:~] root# lsof -i | grep slapd | wc -l
      139
[bdata:~] root# lsof -i | grep slapd | wc -l
       3
[adata:~] root# lsof -i | grep slapd | wc -l
       7
Not great.
In the absence of any better ideas, i'm adding a StartupItem that will randomly pick an ldap server, use ipfw to block the other two, restart DirectoryService, and then flush ipfw again. What sort of load are others seeing on their LDAP boxes? Is it worth adding an idle timeout to slapd.conf?
thanks in advance
matt jenns

--
Matt Richard
Access and Security Coordinator
Computing Services
Franklin & Marshall College
email@hidden
(717) 291-4157
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: OD master LDAP instability
  - From: Michael Bartosh <email@hidden>
- Re: OD master LDAP instability
  - From: "Richard Pride" <email@hidden>

References:
	>OD master LDAP instability (From: Matt Jenns <email@hidden>)
	>Re: OD master LDAP instability (From: "Richard Pride" <email@hidden>)

Prev by Date: Kinda OT, iChat AV behind NATed firewalls
Next by Date: Re: OD master LDAP instability
Previous by thread: Re: OD master LDAP instability
Next by thread: Re: OD master LDAP instability
Index(es):
- Date
- Thread

Home