LDAP : Too much connexions /

Michael Harlaut m.harlaut at atolcd.com
Wed Jan 5 21:06:22 CET 2005


Hi,

While doing my tests, I encounter a strange behaviour with Kolab2b1, while using
some client : Outlook Express (mainly) and Evolution (not as much).

Of course, Kolab is more designed to be used with Outlook and a connector, but a
large part of our contacts are currently using the "express" version, and we
have to migrate them in different steps, for example (there is no definitive
way for a migration) :

- Migrate all existent outlook express mails into Cyrus-IMAP
- Using outlool express during the migration process
- Migrate to Outlook with connector or Aethera

Whatever, here is a method to generate a "Denial of service"-like on the LDAP
server, and on the kolab server by extension :)

- Add a IMAP account to outlook express, with tens of folders (at least 20,
which is not so hard to find with some users) and a lot of mails (thousands
...).
- Select the account properties to select "synchronize all" (headers and body on
all folders).
- Press "synchronize" or "send/receive"

Outlook will then stress the server a lot, and a "netstat" command will show the
number of LDAP connexions are increasing A LOT (every synchronisation or
send/receive action will result in 9 or 10 new connexions for each folder).

After doing this several times, Cyrus will reject all new connexions, while the
number of LDAP opened connexion has reached ~ 500 ou 600 ! OpenLDAP says "Too
much connexions"

Those connexion will be released only after at least one minute, and during this
time the imap server will be totally unreachable.

It can also be reproduced with Evolution, only by atempting to connect tothe
server without giving any password. Each time the connexion fails, there is 4
or 5 new LDAP entries with the "netstat" command.

It take more times, but it's also possible to make the server unreachable.

The only way I've found to avoid this behaviour is to modyfy the imapd.conf
file, and by comment the LDAP part :

# support for lookup of mailbox name from local LDAP server
ldap_uri:               ldap://127.0.0.1:389
ldap_base:              dc=atolcd,dc=com
ldap_bind_dn:           cn=nobody,cn=internal,dc=atolcd,dc=com
ldap_password:          7RQzdA4im9p3lbE+py9cMw/xbQqXVVvQHXZyCZ1w
ldap_time_limit:        15
virtdomains:            ldap

and by replacing by

virtdomains:            userid

Of course, it seems mainly related to the way some client manages IMAP, but I'm
not sure this is not a source of problems in term of scalability.

5 outlook express users are enought to reproduce this in a production
environment.

Perhaps I'm not as clear as I want, but do not hesitate to ask me for more
details :)

Regards,

--
Michael Harlaut
Atol Conseils et développements
21600 Longvic
http://www.atolcd.com/






More information about the users mailing list