[389-users] Lots of abandoned connections from sssd
Orion Poplawski
orion at cora.nwra.com
Wed Nov 12 19:26:33 UTC 2014
On 11/05/2014 08:16 PM, Orion Poplawski wrote:
> Just recently we're seeing some very strange behavior on our system.
> Periodically we will see a sssd process start to have an ever greater number
> of connections to our ldap server until the server runs out of file
> descriptors. This seems to be happening with a particular user, who is having
> trouble logging in at times, particularly with email (dovecot). We see
> entries like the following on our sever:
>
> [05/Nov/2014:17:14:51 -0700] conn=1786153 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [05/Nov/2014:17:14:51 -0700] conn=1786153 op=0 RESULT err=0 tag=120 nentries=0
> etime=0
> [05/Nov/2014:17:14:51 -0700] conn=1786153 SSL 128-bit AES
> [05/Nov/2014:17:14:51 -0700] conn=1786153 op=1 BIND
> dn="uid=user,ou=People,dc=domain,dc=com" method=128 version=3
> [05/Nov/2014:17:14:56 -0700] conn=1786153 op=2 ABANDON targetop=NOTFOUND msgid=2
> [05/Nov/2014:17:14:56 -0700] conn=1786153 op=3 UNBIND
> [05/Nov/2014:17:14:56 -0700] conn=1786153 op=3 fd=1022 closed - U1
>
> I don't yet have debug info from the sssd process. Any ideas from the above?
This turns out to have been the bind hang bug introduced with the first fix
for https://fedorahosted.org/389/ticket/47748. It is present in
389-ds-base-1.2.11.32-1.el6 from the nhosoi/389-ds-base-epel6 COPR. It
appears to be fixed on the 389-ds-base-1.2.11 branch, so a new build with the
fix would be greatly appreciated. Thanks!
I may file a bug against sssd to handle hung connections better too.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 http://www.nwra.com
More information about the 389-users
mailing list