How strange, I only got this mail today, 2 weeks after it was sent. Anyway..
Jan-Frode Myklebust wrote:
On 2009-11-06, Janne Blomqvist <[email protected]> wrote:
We had some problems with long failovers, and running out of fd's as
well (and yes, we use nscd), I think this was related to old connections
not being properly cleaned up.
(yes we're running nscd most places too)
We have some machines traversing som PIX'es that are configured to
tear down connections after 60 minutes idle, so on the clients we
have idle_timelimit 3550 to have them tear down the connections first.
But maybe that was too close, and PIX'es has different ways of determining
idleness than the nss_ldap... ? On the serverside we hadn't set idletimeout,
so it was defaulting to never tear down idle connections.
It looks like that might explain the out of fds problem. so we have now
implemented idletimeout=900 on the directory server.
timelimit 6
bind_timelimit 3
bind_policy soft
idle_timelimit 3600
Thanks for these. Will look into these. Sounds like shorter timelimit and
bind_timelimit might help make it fail over faster. But is soft bind_policy
safe ? Sounds like we risk getting failed lookups with soft bind_policy.
Yes, I agree it's a risk. However, with the hard policy it only failed
over to the other ldap server after such a long time that e.g. logins
had already timed out by then.
I suppose a better solution would be for the ldap client to try the next
server in the list after the first timeout, while still trying the first
one in parallel. But alas, that is not how the current implementation works.
--
Janne Blomqvist
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
