lists.arthurdejong.org
RSS feed

Re: nslcd threads and connections: 5 too many?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd threads and connections: 5 too many?



On Fri, 2012-03-09 at 16:23 -0800, Chris Hiestand wrote:
> I just noticed that each nslcd thread has its own connection to the
> LDAP server. I am wondering if the default, 5, might be more than the
> typical client needs, or if anyone has experimented with reducing the
> number of threads to see how performance keeps up on busy clients?
> 
> My concern is that if an ldap server has many clients and each client
> has 5 connections the number of available server connections could be
> exhausted more quickly than expected leading to DoS.

The number was chosen rather arbitrarily early during development. With
nss_ldap there were about 5 connections open from an average system (I
think) so that would not be an increase. nscd also has 5 thread by
default.

Since OpenLDAP's only supports one connection per thread (at least when
nss-pam-ldapd was designed) 5 threads means 5 connections.

There have not been detailed studies on the ideal number of threads but
I expect that even two threads would be sufficient for most cases. I
would avoid using just one thread because an application could be
performing two requests simultaneous (e.g. go over all users and find
groups per user).

If anyone can provide good reasoning why another number should be the
default (preferably supported by some facts) I can change the default.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/