This discussion is archived
4 Replies Latest reply: Sep 7, 2012 12:04 PM by 960469 RSS

Solaris Name Service Cache and Directory Proxy Problem

960469 Newbie
Currently Being Moderated
We have some Solaris 10 clients ldapcliented to a Directory Proxy Server. After 15 minutes, the Solaris name service cache will fail to communicate to the proxy instance and the proxy instance's readconnectionsrefused attribute will start incrementing.

At first it seemed we would need to increase the worker-threads and num-bind-limit, but those do not fix the problem.

At the same time the name-service-cache starts failing, I am still able to query and search the proxy. I have set up a Jmeter test which continues to run and they never fail.

It seems very consistent that the problem with the name-service-cache occurs every 15 minutes and I am able to reproduce this at the client's site and in my lab. Restarting either the proxy or the name-service-cache clears the problem.

Has anyone else seen this problem?

Edited by: 957466 on Sep 6, 2012 9:11 AM
  • 1. Re: Solaris Name Service Cache and Directory Proxy Problem
    Sylvain Duloutre Pro
    Currently Being Moderated
    Hello,
    I may worth having a look at the proxy access log:
    The problem might be due to inactive connections dropped by the proxy (connection idle timeout) or other connection-related problems
    My 2 cents

    Sylvain
  • 2. Re: Solaris Name Service Cache and Directory Proxy Problem
    960469 Newbie
    Currently Being Moderated
    Thanks for the suggestion. It is odd that if I client directly to the Directory Server and not the Directory Proxy, then the name-service-cache problems don't exist. The Proxy and Directory Server are on the same server.

    I didn't see anything obvious in the access logs.

    Edited by: 957466 on Sep 6, 2012 1:30 PM
  • 3. Re: Solaris Name Service Cache and Directory Proxy Problem
    Sylvain Duloutre Pro
    Currently Being Moderated
    Hi,

    The fact readconnectionsrefused increases seems to indicate that the problem is between the proxy and the backend server.
    For some reasons, DPS cannot grab a valid connection to forward the traffic to the directory server.
    DPS uses connection pooling, so it may be negatively impacted when the directory server is configured to drop idle connections after a while.
    Could you please check whether the directory server is configured to drop inactive connection after 15mn ? If this is the case, this would explain the issue and then we could
    devise the best solution to address it.

    See idle-timeout property in http://docs.oracle.com/cd/E19424-01/820-4813/idle-timeout-5dsconf/index.html

    HTH

    -Sylvain
  • 4. Re: Solaris Name Service Cache and Directory Proxy Problem
    960469 Newbie
    Currently Being Moderated
    The idle-timeout on DSEE was set to none, which I believe is the default. I tried setting it to 1200 and 2400 seconds without success.

    h3. get-ldap-data-source-pool-prop
    <pre>
    client-affinity-bind-dn-filters : any
    client-affinity-criteria : connection
    client-affinity-ip-address-filters : any
    client-affinity-policy : write-affinity-after-write
    client-affinity-timeout : 20s
    description : -
    enable-client-affinity : false
    load-balancing-algorithm : proportional
    minimum-total-weight : 100
    proportion : 100
    sample-size : 100
    </pre>

    h3. get-ldap-data-source-prop
    <pre>
    bind-dn : none
    bind-pwd : none
    client-cred-mode : use-client-identity
    connect-timeout : 10s
    description : -
    down-monitoring-interval : inherited
    is-enabled : true
    is-read-only : false
    ldap-address : localhost
    ldap-port : ldap
    ldaps-port : ldaps
    monitoring-bind-dn : none
    monitoring-bind-pwd : none
    monitoring-bind-timeout : 5s
    monitoring-entry-dn : ""
    monitoring-entry-timeout : 5s
    monitoring-inactivity-timeout : 2m
    monitoring-interval : 30s
    monitoring-mode : proactive
    monitoring-retry-count : 3
    monitoring-search-filter : (objectClass=*)
    monitoring-search-scope : base
    num-bind-incr : 10
    num-bind-init : 2
    num-bind-limit : 1024
    num-read-incr : 10
    num-read-init : 2
    num-read-limit : 1024
    num-write-incr : 10
    num-write-init : 2
    num-write-limit : 1024
    proxied-auth-use-v1 : false
    ssl-policy : never
    use-read-connections-for-writes : false
    use-tcp-keep-alive : true
    use-tcp-no-delay : true
    </pre>

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points