4 Replies Latest reply: Sep 7, 2012 2:04 PM by 960469 RSS

    Solaris Name Service Cache and Directory Proxy Problem

    960469
      We have some Solaris 10 clients ldapcliented to a Directory Proxy Server. After 15 minutes, the Solaris name service cache will fail to communicate to the proxy instance and the proxy instance's readconnectionsrefused attribute will start incrementing.

      At first it seemed we would need to increase the worker-threads and num-bind-limit, but those do not fix the problem.

      At the same time the name-service-cache starts failing, I am still able to query and search the proxy. I have set up a Jmeter test which continues to run and they never fail.

      It seems very consistent that the problem with the name-service-cache occurs every 15 minutes and I am able to reproduce this at the client's site and in my lab. Restarting either the proxy or the name-service-cache clears the problem.

      Has anyone else seen this problem?

      Edited by: 957466 on Sep 6, 2012 9:11 AM
        • 1. Re: Solaris Name Service Cache and Directory Proxy Problem
          Sylvain Duloutre-Oracle
          Hello,
          I may worth having a look at the proxy access log:
          The problem might be due to inactive connections dropped by the proxy (connection idle timeout) or other connection-related problems
          My 2 cents

          Sylvain
          • 2. Re: Solaris Name Service Cache and Directory Proxy Problem
            960469
            Thanks for the suggestion. It is odd that if I client directly to the Directory Server and not the Directory Proxy, then the name-service-cache problems don't exist. The Proxy and Directory Server are on the same server.

            I didn't see anything obvious in the access logs.

            Edited by: 957466 on Sep 6, 2012 1:30 PM
            • 3. Re: Solaris Name Service Cache and Directory Proxy Problem
              Sylvain Duloutre-Oracle
              Hi,

              The fact readconnectionsrefused increases seems to indicate that the problem is between the proxy and the backend server.
              For some reasons, DPS cannot grab a valid connection to forward the traffic to the directory server.
              DPS uses connection pooling, so it may be negatively impacted when the directory server is configured to drop idle connections after a while.
              Could you please check whether the directory server is configured to drop inactive connection after 15mn ? If this is the case, this would explain the issue and then we could
              devise the best solution to address it.

              See idle-timeout property in http://docs.oracle.com/cd/E19424-01/820-4813/idle-timeout-5dsconf/index.html

              HTH

              -Sylvain
              • 4. Re: Solaris Name Service Cache and Directory Proxy Problem
                960469
                The idle-timeout on DSEE was set to none, which I believe is the default. I tried setting it to 1200 and 2400 seconds without success.

                h3. get-ldap-data-source-pool-prop
                <pre>
                client-affinity-bind-dn-filters : any
                client-affinity-criteria : connection
                client-affinity-ip-address-filters : any
                client-affinity-policy : write-affinity-after-write
                client-affinity-timeout : 20s
                description : -
                enable-client-affinity : false
                load-balancing-algorithm : proportional
                minimum-total-weight : 100
                proportion : 100
                sample-size : 100
                </pre>

                h3. get-ldap-data-source-prop
                <pre>
                bind-dn : none
                bind-pwd : none
                client-cred-mode : use-client-identity
                connect-timeout : 10s
                description : -
                down-monitoring-interval : inherited
                is-enabled : true
                is-read-only : false
                ldap-address : localhost
                ldap-port : ldap
                ldaps-port : ldaps
                monitoring-bind-dn : none
                monitoring-bind-pwd : none
                monitoring-bind-timeout : 5s
                monitoring-entry-dn : ""
                monitoring-entry-timeout : 5s
                monitoring-inactivity-timeout : 2m
                monitoring-interval : 30s
                monitoring-mode : proactive
                monitoring-retry-count : 3
                monitoring-search-filter : (objectClass=*)
                monitoring-search-scope : base
                num-bind-incr : 10
                num-bind-init : 2
                num-bind-limit : 1024
                num-read-incr : 10
                num-read-init : 2
                num-read-limit : 1024
                num-write-incr : 10
                num-write-init : 2
                num-write-limit : 1024
                proxied-auth-use-v1 : false
                ssl-policy : never
                use-read-connections-for-writes : false
                use-tcp-keep-alive : true
                use-tcp-no-delay : true
                </pre>