Home Forums OS X Server and Client Discussion Open Directory LDAP disallow bind_anon and degrading server performance

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • July 27, 2004 at 2:35 pm #358576
    Anonymous
    Guest

    We just went experienced an unfortunate event last night when we enabled the “disallow bind_anon” flag in out slapd.conf file.

    After enabling this flag, we began to experience “weird” problems.

    We are running OD,Mail, and Web services.

    Rebooting our Panther 10.3.4; the system would come up quickly and normally. However, directory accounts seemed incredibly sluggish. We knew that the accounts were being properly accessed in LDAP because we were able to get our Mail, login, etc.

    However, after a period of about 3 to 5 minutes, the server would begin to “degrade.” It appeared that Mail performance would drop-off, Server Admin would eventually stop receiving updates, Mail would eventually halt all together, SSH login would stop, etc.

    Eventually, SSH would stop responding to even the local NetInfo users. Only the users who were already logged in had control to reboot the server and begin the degrade again.

    After turning off disallow bind_anon, the server would function quick and normally.

    Has anyone experienced this problem before? Or have any insight as to why requiring authenticated bind could appear to cause such a degrading server?

    BTW, we were able to recreate the problem:

    We actually rebuilt the server yesterday, applied updates, and then begain rebuilding and turning on the appropriate services.

    After turning on the “disallow bind_anon” directive the problems would begin.

    Obey

    August 4, 2004 at 4:40 pm #358674
    Anonymous
    Guest

    Yeah, the binding user was added in to the directory.

    We finally ended up turning off the bind_anon until we can further troubleshoot.

    Funny thing is that my co-worker _just_ finished the ACSA Server Admin class. In that class, they covered the “disallow bind_anon” and it (apparently) worked well.

    This must have something to do with the manner that the other OS X services interact with the directory service.

    It’s just freakin’ strange…

    August 4, 2004 at 5:57 pm #358676
    honestpuck
    Participant

    Obery,

    You said :-
    [QUOTE]
    This must have something to do with the manner that the other OS X services interact with the directory service.

    It’s just freakin’ strange…
    [/QUOTE]

    I had a hard think about this when you first posted but didn’t come up with any concrete suggestions.

    I was thinking something similar about the interaction of other services. It’s my bet that you have some process that wants to do a check on a username that isn’t set up for a user bind and is making multiple attempts due to the failure of an anonymous bind. I haven’t checked the doco but I’d suspect some part of the mail receipt process, perhaps.

    I’d love to see all your logs – I bet there’s a log entry somewhere that mentions an LDAP failure, repeatedly.

    Tony

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.