slapd stops authenticating

[Bill Dossett <bd emtex com>]

Hi,

I'm about at my wits end trying to track this down
and wonder if anyone can give me any tips about how
to trap what is happening.

I have two redhat8 boxes running slapd, one is
a replica.  My third redhat8 box is my mail server
and it authenticates imaps and pop3s users via
pam/ldap.  It also authenticates users allowed to
relay via sendmail.

I only have about 50 users total in house.  The problem
is that after some variable amount of time, sometimes a few
hours, sometimes up to 36 hours, slapd stops authenticating
with the messages in the log files:

 warning: cannot open /etc/hosts.deny: Too many open files

repetitively...

At this point all authentication stops on the mail server.

Then, at some point later, slapd rights itself as by the
time I get to the box, it is authenticating again... however,
the mail server is jammed... says it can't contact the ldap
server, even though connections everything is ok, and ldap
server will authenticate other systems... basically, looks
like the mailserver tries to authenticate a bunch of times
and then gives up and doesn't really try again after that
as rebooting the mailserver rights the problem, I don't
need to restart slapd or anything on the other box...

I've looked under /proc/<slad-pid>/fd and there aren't many
files open... there are a quite a lot of sockets open...
and when I do netstat | grep EST there are a about 70 or
so ldap connections open between the mailserver and the
ldap server.. this number does seem to grow... as though
connections aren't being closed or something, but I'm not
sure if this is causing the problem?  Do they count as
files, but like I say, by the time I get to look at the
box (this seems to happen at night a great deal) things
look pretty normal.

My openldap servers are not public... they are behind my
firewall...  so if someone is doing something to them, it
pretty much has to be thru sendmail or imaps or pop3s...
yet I don't see any sort of attack, just the usual spammers
trying to send to every known user under the earth mydomain com   
Could that be causing it?  In general these requests come in
about 20-30 seconds apart though, so it doesn't look like
they are overloading.

Anyway, can anyone give me any clues on what to watch or
some way I can monitor this to find out what is happening?
This has been going on for about 2 weeks and I have to
get it fixed.

Thanks
Bill