lists.arthurdejong.org
RSS feed

Re: nslcd eats up all memory

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd eats up all memory



On Tue, 2010-11-02 at 16:16 +0100, Peter Slickers wrote:
> I am running serveral Debian linux servers with nslcd to lookup user
> and group information from active directory. Also on samba servers I
> use nslcd instead of winbind (since winbind requires a modification of
> the global catalog). Lookup of names works fine but it turns out that
> the nslcd instance consumes huge amounts of memory on the long run.

Thanks for your bugreport. I've not seen this before and so far haven't
been able to reproduce any memory leaks (thanks for the memory
monitoring script).

I'm not able to test with Active Directory though so that could be the
problem area.

> Samba fileserver
>  Debian lenny stable (all updated packages installed)
>  kernel 2.6.26-2-xen-amd64
>  nslcd V0.7.11 compiled from source locally

Do you also use the PAM module?

> LDAP backend
>  Active Directory with IDMU installed (Windows 2008 server) 

Can you give an indication of the number of users and groups in there?

> increase   2 MB per hour during evenings and nights
> increase >20 MB per hour during business hours

Can you try running nslcd under valgrind:
  valgrind --leak-check=full /usr/sbin/nslcd -d
This does slow things down a bit though. If you can use the compiled
version of nslcd (if you use the debian package it will strip the symbol
table from the binary) that should provide more useful debugging info.

> Typical messages in /var/log/daemon.log:
>  Nov  2 13:46:16 conan nslcd[32322]: [87739c] 
> nslcd_group_byname(Domänen-Admins): invalid group name
>  Nov  2 13:47:05 conan nslcd[32322]: [294e43] 
> nslcd_group_byname(Domänen-Benutzer): invalid group name
>  Nov  2 13:48:04 conan nslcd[32322]: [6f0364] error writing to client: Broken 
> pipe
>  Nov  2 13:49:05 conan nslcd[32322]: [b8302a] 
> nslcd_group_byname(Domänen-Benutzer): invalid group name
>  Nov  2 13:51:06 conan nslcd[32322]: [47fc38] 
> nslcd_group_byname(Domänen-Benutzer): invalid group name
>  Nov  2 14:29:05 conan nslcd[32322]: [6c89ee] error writing to client: Broken 
> pipe
>  Nov  2 14:30:07 conan nslcd[32322]: [1fc68b] 
> nslcd_group_byname(Domänen-Benutzer): invalid group name
>  Nov  2 14:33:06 conan nslcd[32322]: [66515b] 
> nslcd_group_byname(Domänen-Benutzer): invalid group name

The broken pipe messages can happen when a client requests some data but
does not read all of it (e.g. it lists all users but stops processing
the results after it has found the one it was looking for).

The other ones are due to the umlaut in the name. POSIX has pretty
strict limits as to what characters should be part of group names.

Neither of these should result in a memory leak (at least not in my
tests).

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users