Thread: Problems Authenticating against OpenLDAP

I've recently configured Postgres (8.3) to authenticate against OpenLDAP

this is my pg_hba.conf entry:
host all all 0.0.0.0/0 ldap "ldap://ldapserver/dc=mydomain,dc=com;uid=;,ou=postgresql,dc=mydomain,dc=com"

Things are working fine most of the time.

However, every once in a while i'm getting something along the lines of:

Dec  6 08:17:24 devcell-db1 postgres[12401]: [2-1] user=xxx.yyyyyyy,db=userdb,trans=0[] LOG:  LDAP login failed for
user
"uid=xxx.yyyyyyy,ou=postgresql,dc=mydomain,dc=com" on
Dec  6 08:17:24 devcell-db1 postgres[12401]: [2-2]  server "ldapserver": error code -1

The problem is, i'm not seeing a corresponding error on the OpenLDAP side.

Also, it seems like this only happens under load, like if someone does a unit test that
connects to the database 100 times in a few seconds.

Has anyone dealt with this? I've been trying to tune OpenLDAP to handle more
concurrent connections, but without much success. i've set in my
/etc/openldap/slapd.conf
threads 32
concurrency 100

and in
/etc/ldap.conf
threads 100
idle_timelimit 60
bind_timelimit 120

The fact that it's not even logging the  failure worries me, like
something's causing the request not even to hit the server.

Any ideas would be greatly appreciated.

Thanks

Dave

Try with configuration parameter
conn_max_pending (number of connections waiting for processing thread)
conn_max_auth (same, but for authenticated)

If you are using anonymous auth then, by default you have
conn_max_pending=100. In your configuration I don't see need to increase
threads to 32?

Does your open ldap has PostgreSQL backend? :)
Try to increase open ldap log level - to get info about connection opening.

--
----------
Radosław Smogura
http://www.softperience.eu

David Kerr <dmk@mr-paradox.net> Monday 06 December 2010 18:00:19
> The problem is, i'm not seeing a corresponding error on the OpenLDAP side.
>
> Also, it seems like this only happens under load, like if someone does a
> unit test that connects to the database 100 times in a few seconds.
>
> Has anyone dealt with this? I've been trying to tune OpenLDAP to handle
> more concurrent connections, but without much success. i've set in my
> /etc/openldap/slapd.conf
> threads 32
> concurrency 100
>
> and in
> /etc/ldap.conf
> threads 100
> idle_timelimit 60
> bind_timelimit 120
>
> The fact that it's not even logging the  failure worries me, like
> something's causing the request not even to hit the server.
>
> Any ideas would be greatly appreciated.
>
> Thanks
>
> Dave

On Mon, Dec 06, 2010 at 07:03:59PM +0100, Rados?aw Smogura wrote:
- Try with configuration parameter
- conn_max_pending (number of connections waiting for processing thread)
- conn_max_auth (same, but for authenticated)

ok sounds good, i'll give that a shot!

- If you are using anonymous auth then, by default you have
- conn_max_pending=100. In your configuration I don't see need to increase
- threads to 32?

yes the documentation for threads was unclear i just assumed that if the
server was getting bogged down more threads would help =)

- Does your open ldap has PostgreSQL backend? :)

Hehe, not yet. I'm ldap-impaired. so I went with BDB just to get it going.

- Try to increase open ldap log level - to get info about connection opening.

ok sounds good. thanks!

Dave