Bug#519511: [Pkg-openldap-devel] Bug#519511: slapd uses too much memory

Tue, 17 Mar 2009 06:09:42 -0700 

I think I discovered what triggered the problem. For some reason,
after the upgrade to lenny, some of the files had wrong permissions.
Here is the listing:

-rw-r--r-- 1 openldap openldap 4.0K 2009-03-17 14:38 alock
-rw------- 1 root     root      16K 2009-03-11 11:10 cn.bdb
-rw------- 1 openldap openldap 8.0K 2009-03-17 14:38 __db.001
-rw------- 1 openldap openldap 2.6M 2009-03-17 14:38 __db.002
-rw------- 1 openldap openldap  96K 2009-03-17 14:38 __db.003
-rw------- 1 openldap openldap 552K 2009-03-17 14:38 __db.004
-rw------- 1 openldap openldap  24K 2009-03-17 14:38 __db.005
-rw-r--r-- 1 openldap openldap   96 2009-03-11 11:04 DB_CONFIG
-rw------- 1 openldap openldap  84K 2009-03-17 14:38 dn2id.bdb
-rw------- 1 root     root      72K 2009-03-11 11:10 givenName.bdb
-rw------- 1 openldap openldap 576K 2009-03-17 14:38 id2entry.bdb
-rw------- 1 openldap openldap 3.6M 2009-03-17 14:38 log.0000000001
-rw------- 1 root     root     128K 2009-03-11 11:10 mail.bdb
-rw------- 1 openldap openldap  52K 2009-03-17 14:38 objectClass.bdb
-rw------- 1 root     root     8.0K 2009-03-11 11:10 ou.bdb
-rw------- 1 root     root      80K 2009-03-11 11:10 sn.bdb
-rw------- 1 root     root      16K 2009-03-11 11:10 uid.bdb

I understand that the files should have been owned by
openldap:openldap, but instead some of the files, as you can see, were
owned by root:root. When I changed the ownership of those files and
restarted slapd, the memory problem does not appear any more. I run
the test ldapsearch command 100 thousand times, and the virtual memory
size has been 62508 bytes all along. The resident memory size
increased from about 7900 bytes to 8200 bytes, but I guess this must
be normal (and may be unrelated to the repeated search test - could be
other lookups that are being cached).

# Loading of backend modules - automatically generated

modulepath      /usr/lib/ldap
moduleload back_bdb

# This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

#schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
replogfile      /var/lib/ldap/replog
loglevel        0

#######################################################################
# ldbm database definitions
#######################################################################

database bdb

suffix          "dc=itia,dc=ntua,dc=gr"
rootdn "uid=admin,dc=itia,dc=ntua,dc=gr"
rootpw ##################
directory       "/var/lib/ldap"

index uid eq
index cn eq
index gn,mail eq,sub
index sn eq,sub
index ou eq
index default eq,sub
index objectClass eq

lastmod on

# Security policy: admin can do anything at all; userPassword can be
# read or written by self only; all other attributes readable by all,
# writeable by self. Anonymous access not allowed.

access to attrs=userPassword
        by anonymous auth
        by self write
        by * none

# This is needed for Samba to be able to make group mappings
access to attrs=objectClass
        by dn="uid=samba,ou=daemons,dc=itia,dc=ntua,dc=gr" write
        by anonymous none
        by users read
        
access to attrs=sambaLMPassword,sambaNTPassword
        by dn="uid=samba,ou=daemons,dc=itia,dc=ntua,dc=gr" write
        by self write
        by * auth

access to 
attrs=sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
        by dn="uid=samba,ou=daemons,dc=itia,dc=ntua,dc=gr" write
        by self write
        by * none

access to dn="sambaDomainName=ITIA,dc=itia,dc=ntua,dc=gr" attrs=entry
        by dn="uid=samba,ou=daemons,dc=itia,dc=ntua,dc=gr" write
        by * none

access to dn="dc=itia,dc=ntua,dc=gr" attrs=children
        by dn="uid=samba,ou=daemons,dc=itia,dc=ntua,dc=gr" write
        by * none

access to dn="ou=groups,dc=itia,dc=ntua,dc=gr" attrs=children
        by dn="uid=samba,ou=daemons,dc=itia,dc=ntua,dc=gr" write
        by * none

access to *
        by anonymous none
        by users read

#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
TLSCertificateFile /etc/ssl/certs/itia.ntua.gr.pem
TLSCertificateKeyFile /etc/ssl/private/itia.ntua.gr.pem
TLSVerifyClient allow

Reply via email to