[K12OSN] LDAP timeout question

Gavin McCullagh gmccullagh at gmail.com
Sun Nov 18 19:31:22 GMT 2007 

Hi Jim,

On Fri, 16 Nov 2007, Jim Kronebusch wrote:

> Each application opened thereafter uses 1 more open file under the
> openldap user.  These files remain open for the openldap user until the
> user session is terminated. So if one student logged on to every client
> in my network and opened both Firefox and OpenOffice, openldap would have
> 18 files opened per user across 108 clients.  Now this is the part I can
> figure out easily, 108 users x 18 open files per user equals 1944 open
> file for the openldap user.  The default open file limit per user under
> Edubuntu feisty is 1024, 

This is good stuff to know about, thanks.

I know we've been over this before, but do you commonly have 108 concurrent
users on a single thin client server?  That's pretty impressive.  If you
haven't done it already, a short document briefly detailing the hardware
specs and the various tweaks you've needed would make very interesting
reading.  Do they all use sound? 

> I then decided I never want to see this error again, so I set the following in
> /etc/security/limits.conf:
> 
> *               soft    nofile  4096
> *               hard    nofile  4096

Seems reasonable enough, though would it be as effective and a little more
prudent to do:

openldap          soft    nofile  4096
openldap          hard    nofile  4096

4096 files per user in general seems an awful lot and might allow users to
do nasty things to your system.

> If this works, I think there is a huge flaw with the maximum open file
> limit and the default configuration of OpenLDAP when used in a thin
> client environment.

The question is whether it should be fixed or if this is really just
"tuning" that should be documented for big systems.  For example, the
default install of Postgresql sets limits which will not work when you go
above 20 users on a web application.   It's expected that if you run it in
large scale production, you learn how to tune it for production use.  Given
the number of users you have, I think it's fair to say you're a big
production user.

Right now, edubuntu doesn't use openldap, so it probably doesn't make sense
for edubuntu to change this limit.  There can be very few system users
which would ever need this number of open files. Openldap could perhaps add
the above lines specific to itself in limits.conf (assuming it works!).
You could ask the openldap package maintainers.

Gavin

More information about the edubuntu-users mailing list