Luminis 4 LDAP Tuning
Recently we have encountered denying login on max-sessions.log and users received 503 for reaching maximun concurrent sessions. We were poking around the login files. We found when we received the following error on $CP_ROOT/products/ds/slapd-cp/logs/error, we received the denying login on max-sessions.log. Also we couldn't enable the event process otherwise we will received the denying login. We are thinking it might be related to LDAP settings.
- WARNING<20805> - Backend Database - conn=-1 op=0
msgId=-1 - search is not indexed
We are wondering if any school could share their tuning setups to avoid maximun concurrent session issue.
Thanks,
Lisa
search is not indexed
That message "search is not indexed" most likely has nothing to do with your 503 errors. You can see what search is not indexed by taking that msgId number and grep through the ldap access log for the ldap query that was called.
I saw some of those "not indexed" messages in our logs, and looked them up, and discovered that they were ldap queries that we didn't care much about.
For instance, when I looked at one of the msgId's from a "not indexed" error in the access log, it returns this, which looks like some part of the portal doing a user initiated lookup, probably through group or course tools.
conn=13 op=30585 msgId=4444638 - SRCH base="o=pcc.edu,o=cp" scope=2 filter="(&(&(cn=*somename*)(|(objectClass=INETORGPERSON)(objectClass=GROUPOFUNIQUENAMES)))(|(pdsRole=employee)(pdsRole=faculty)))" attrs="cn uid cn cn cn mail mail telephoneNumber facsimileTelephoneNumber mobile homePhone pager objectClass"
The max session error is more likely related to Tomcat running out of threads. Have you done the Luminis IV tuning guide that was updated in December? The recommended server.xml "maxThreads" value is 300, but for our school I needed more than that to avoid 503's. We set ours to 600. The guide also mentions a couple tweaks to ldap.
edit: I just noted that your msgID was -1. On our server, msgID=-1 is a call back from our front end web server (Parallel deployment) to the ldap. If that isn't indexed... that might be an issue. I could not find any "search not indexed" errors for msgId=-1, which looks like this query in our access log:
[04/Feb/2010:14:24:31 -0800] conn=82069 op=-1 msgId=-1 - fd=279 slot=279 LDAP connection from "front end web server IP" to "resource/ldap server IP"
Probably should ask sungard about that.
Jason, truly appreciate your
Jason, truly appreciate your valueable information with detail how to link the errors.
I searched the access log on msg=-1 and found it has different interpretation on the same time frame as follows but I don't know which conn id I should look for although they look fine with me.
conn=10979 op=2 msgId=-1 - closing - U1
conn=10979 op=-1 msgId=-1 - closed.
conn=10978 op=-1 msgId=-1 - closed.
conn=10981 op=-1 msgId=-1 - fd=205 slot=205 LDAP connection from 141.217.0.65 to 141.217.0.65
We did upgrade before Dec. We have set maxThreads = 350 on both port 80 and port 443. We have about 33,000 students and 8000 employee. Our Solaris machine has 128 RAM. We didn't do parrellel deployment. On our setting, what is the best maxThreads we should set? If we set too high, we drawback we will see? I tried to allocate the Dec tuning document but I didn't find it on the Sungard support side. Would you kindly include the tuning doc for me?
Again thanks for your help,
Lisa
ldap tuning
search for 1-3X900T at connect.sungardhe.com for the tuning guide. (Luminis Platform 4 Tuning guide)
In terms of max threads, we have 2 web servers, each has 600 maxThreads, and I haven't had any issues. One web server has 8gigs and the other 32gigs, both are T2000 ultrasparc sun servers.
conn=10981 op=-1 msgId=-1 - fd=205 slot=205 LDAP connection from 141.217.0.65 to 141.217.0.65
In terms of the ldap error, I'd assume that: 141.217.0.65 hosts both your web server and your ldap? We have roughly the same staff and student numbers, and parallel deployment was the number one thing that has resolved our performance issues.
After doing the tuning guide, increasing threads, and checking with sungard about why your web server seems to be making an unindexed call to your ldap, if things still aren't better, you should probably consider getting a couple cheap T2000's or whatever the new model is, and put them in front of your resource/ldap server.
We had a conference call with
We had a conference call with SCT Last Friday afternoon and threw our observations to them. Since we didn't receive maxThread warning on the log file, they didn't suggest us to do parrallel deployment because our server is a powerful machine with 350GB disk space and 128GB RAM. Pipeline support asked us to do reindex LDAP and get rid of the old term from LDAP. This morning we did reindex and we have successfully processed 36,009 events from 4am to 10am without receiving 503 error.
Last quick question, how often do your school run reindex? Thanks!
reindex
Oh... I didn't know that your logs were not showing thread errors. That is the typical error we'd see if clients were seeing 503's.
At any rate, we reindex usually once per term. I use this bash script. It would need to be customized for your portal paths.
#!/bin/bash
. /mnt/portal/.cprc
stopcp -a
cd $CP_ROOT/products/ds/slapd-cp
rm -Rf /mnt/portal/ldaptemp
mkdir /mnt/portal/ldaptemp
./db2ldif -n userRoot -a /mnt/portal/ldaptemp/userRoot.ldif
./db2ldif -n messaging -a /mnt/portal/ldaptemp/messaging.ldif
./db2ldif -n internetdb2 -a /mnt/portal/ldaptemp/internetdb.ldif
./db2ldif -n NetscapeRoot -a /mnt/portal/ldaptemp/netscaperoot.ldif
./db2ldif -n pabdb2 -a /mnt/portal/ldaptemp/pabdb.ldif
./db2ldif -n luminisconfig -a /mnt/portal/ldaptemp/luminisconfig.ldif
./db2ldif -n comms-configdb2 -a /mnt/portal/ldaptemp/comms-config.ldif
./db2ldif -n PiServerDbdb2 -a /mnt/portal/ldaptemp/piserverdb.ldif
./db2ldif -n sctsso -a /mnt/portal/ldaptemp/sctsso.ldif
mv db db.old
mkdir db
echo "db permissions should be luma:luma drwxr-xr-x"
./ldif2db -n userRoot -i /mnt/portal/ldaptemp/userRoot.ldif
./ldif2db -n messaging -i /mnt/portal/ldaptemp/messaging.ldif
./ldif2db -n internetdb2 -i /mnt/portal/ldaptemp/internetdb.ldif
./ldif2db -n NetscapeRoot -i /mnt/portal/ldaptemp/netscaperoot.ldif
./ldif2db -n pabdb2 -i /mnt/portal/ldaptemp/pabdb.ldif
./ldif2db -n luminisconfig -i /mnt/portal/ldaptemp/luminisconfig.ldif
./ldif2db -n comms-configdb2 -i /mnt/portal/ldaptemp/comms-config.ldif
./ldif2db -n PiServerDbdb2 -i /mnt/portal/ldaptemp/piserverdb.ldif
./ldif2db -n sctsso -i /mnt/portal/ldaptemp/sctsso.ldif