<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I'm sorry that was my top unique filter list not my unindexed list. Please disregard my last email. <div><div><br></div><div><br><div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="color: rgb(0, 0, 0); font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">Thanks, </div><div style="color: rgb(0, 0, 0); font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">_____________________________________________________</div><div style="color: rgb(0, 0, 0); font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">John Moyer<br>Director, IT Operations</div><div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; "><b>Digital Reasoning Systems, Inc.</b></div><div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; "><a href="mailto:john.moyer@digitalreasoning.com">John.Moyer@digitalreasoning.com</a></div><div style="color: rgb(0, 0, 0); font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">Office:<span class="Apple-tab-span" style="white-space: pre; "> </span>703.678.2311<br>Mobile:<span class="Apple-tab-span" style="white-space: pre; "> </span>240.460.0023<br>Fax:<span class="Apple-tab-span" style="white-space: pre; "> </span>703.678.2312<br></div><div style="font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; "><a href="http://www.digitalreasoning.com/">www.digitalreasoning.com</a></div></div></div></div></div></div></div></div>
</div>
<br><div><div>On Aug 30, 2013, at 3:47 PM, John Moyer <<a href="mailto:john.moyer@digitalreasoning.com">john.moyer@digitalreasoning.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">If objectclass eq is already indexed how are these on my top unindexed list? Wouldn't objectclass eq cover this (objectclass=inetorgperson)? and the third and fourth entry? I apologize if I'm way off as I am new to the intricacies of LDAP indexing. <div><br><div><br></div><div><br><div apple-content-edited="true">
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">Thanks, </div><div style="font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">_____________________________________________________</div><div style="font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">John Moyer<br>Director, IT Operations<br></div></div></div></div></div></div></div></div>
</div>
<br><div><div>On Aug 30, 2013, at 3:41 PM, Rich Megginson <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/30/2013 01:31 PM, John Moyer
wrote:<br>
</div>
<blockquote cite="mid:EAD4B05E-2C87-4E8D-B72D-4D47C0115216@digitalreasoning.com" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Rob or anyone else,
<div><br>
</div>
<div>So while struggling along on this server I just grabbed the
logs off it and ran that log program with the options you
suggested. There are a lot of unindexed requests. These are
the top issues I've removed the one username that showed up. </div>
<div><br>
</div>
<div>So just to double check what I'm thinking. I need to create
three indexes</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>1.
objectclass pres</div>
</blockquote>
No, do not create this one<br>
<blockquote cite="mid:EAD4B05E-2C87-4E8D-B72D-4D47C0115216@digitalreasoning.com" type="cite">
<div><span class="Apple-tab-span" style="white-space:pre"> </span>2.
objectclass eq</div>
</blockquote>
This should already be indexed<br>
<blockquote cite="mid:EAD4B05E-2C87-4E8D-B72D-4D47C0115216@digitalreasoning.com" type="cite">
<div><span class="Apple-tab-span" style="white-space:pre"> </span>3.
uid pres <br>
</div>
</blockquote>
I suppose the UI might be doing this search?<br>
<blockquote cite="mid:EAD4B05E-2C87-4E8D-B72D-4D47C0115216@digitalreasoning.com" type="cite">
<div><br>
</div>
<div>Please let me know if I'm reading this correctly or if I'm
way off? </div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>7337 (objectclass=inetorgperson)</div>
<div>4597 (objectclass=*)</div>
<div>4560
(&(objectclass=inetorgperson)(uid=senior.developer.login))</div>
<div>307 (objectclass=krbticketpolicyaux)</div>
<div>292 (uid=*)</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<div style="font-family: Helvetica; font-size: medium;
font-style: normal; font-variant: normal;
letter-spacing: normal; line-height: normal;
orphans: 2; text-align: -webkit-auto; text-indent:
0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">
<div style="font-family: Helvetica; font-size:
medium; font-style: normal; font-variant: normal;
letter-spacing: normal; line-height: normal;
orphans: 2; text-align: -webkit-auto; text-indent:
0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px;
-webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">
<div style="font-family: Helvetica; font-size:
medium; font-style: normal; font-variant:
normal; letter-spacing: normal; line-height:
normal; orphans: 2; text-align: -webkit-auto;
text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing:
0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">
<div style="font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">Thanks, </div>
<div style="font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">_____________________________________________________</div>
<div style="font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">John Moyer<br>
Director, IT Operations</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; "><b>Digital
Reasoning Systems, Inc.</b></div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; "><a moz-do-not-send="true" href="mailto:john.moyer@digitalreasoning.com">John.Moyer@digitalreasoning.com</a></div>
<div style="font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; ">Office:<span class="Apple-tab-span" style="white-space:
pre; "> </span>703.678.2311<br>
Mobile:<span class="Apple-tab-span" style="white-space: pre; "> </span>240.460.0023<br>
Fax:<span class="Apple-tab-span" style="white-space: pre; "> </span>703.678.2312<br>
</div>
<div style="font-weight: normal; font-family:
Calibri, sans-serif; font-size: 14px; "><a moz-do-not-send="true" href="http://www.digitalreasoning.com/">www.digitalreasoning.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div>
<div>On Aug 28, 2013, at 11:40 AM, Rob Crittenden <<a moz-do-not-send="true" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">John Moyer wrote:<br>
<blockquote type="cite">So this method of search logs is
great, and it shows some indexes that would likely highly
increase efficiency with my usage. So, are there
instructions how to do that? or do you know off hand how
to do that?<br>
</blockquote>
<br>
I'd start with <a moz-do-not-send="true" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes">https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes</a><br>
<br>
Note that you'll want to create the same index on all hosts.
This configuration is not replicated.<br>
<br>
You can see the ones we create in
/usr/share/ipa/indices.ldif and
/usr/share/ipa/updates/20-indices.update<br>
<br>
rob<br>
<br>
<blockquote type="cite"><br>
<br>
Thanks,<br>
_____________________________________________________<br>
John Moyer<br>
Director, IT Operations<br>
Digital Reasoning Systems, Inc.<br>
<a moz-do-not-send="true" href="mailto:John.Moyer@digitalreasoning.com">John.Moyer@digitalreasoning.com</a><br>
Office:<span class="Apple-tab-span" style="white-space:pre"> </span>703.678.2311<br>
Mobile:<span class="Apple-tab-span" style="white-space:pre"> </span>240.460.0023<br>
Fax:<span class="Apple-tab-span" style="white-space:pre">
</span><span class="Apple-tab-span" style="white-space:pre"> </span>703.678.2312<br>
<a class="moz-txt-link-abbreviated" href="http://www.digitalreasoning.com/">www.digitalreasoning.com</a><br>
<br>
On Aug 27, 2013, at 4:45 PM, Rob Crittenden
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> wrote:<br>
<br>
<blockquote type="cite">John Moyer wrote:<br>
<blockquote type="cite">Wow, this is quite insightful,
this is the output from that, it looks like there
aren't many unindexed searches (319 doesn't seem like
a lot to me at least). Do you have any suggestions
from this output?<br>
</blockquote>
<br>
There are a slew of options you can provide to
logconv.pl. I typically use logconv.pl -ula
/var/log/dirsrv/slapd-EXAMPLE-COM/access when doing
search analysis.<br>
<br>
rob<br>
<br>
<blockquote type="cite"><br>
<br>
<br>
Start of Log: 27/Aug/2013:02:36:08<br>
End of Log: 27/Aug/2013:12:17:15<br>
<br>
Processed Log Time: 9 Hours, 41 Minutes, 7 Seconds<br>
<br>
Restarts: 2<br>
Total Connections: 45224<br>
SSL Connections: 44735<br>
Peak Concurrent Connections: 76<br>
Total Operations: 132568<br>
Total Results: 132737<br>
Overall Performance: 100.0%<br>
<br>
Searches: 61318 (1.76/sec)
(105.52/min)<br>
Modifications: 277 (0.01/sec)
(0.48/min)<br>
Adds: 10 (0.00/sec)
(0.02/min)<br>
Deletes: 12 (0.00/sec)
(0.02/min)<br>
Mod RDNs: 0 (0.00/sec)
(0.00/min)<br>
Compares: 0 (0.00/sec)
(0.00/min)<br>
Binds: 62143 (1.78/sec)
(106.94/min)<br>
<br>
Proxied Auth Operations: 0<br>
Persistent Searches: 3<br>
Internal Operations: 0<br>
Entry Operations: 0<br>
Extended Operations: 8808<br>
Abandoned Requests: 0<br>
Smart Referrals Received: 0<br>
<br>
VLV Operations: 0<br>
VLV Unindexed Searches: 0<br>
SORT Operations: 353<br>
<br>
Entire Search Base Queries: 106<br>
Unindexed Searches: 319<br>
<br>
FDs Taken: 45262<br>
FDs Returned: 45210<br>
Highest FD Taken: 139<br>
<br>
Broken Pipes: 0<br>
Connections Reset By Peer: 0<br>
Resource Unavailable: 0<br>
<br>
Binds: 62143<br>
Unbinds: 44539<br>
<br>
LDAP v2 Binds: 2<br>
LDAP v3 Binds: 62141<br>
SSL Client Binds: 0<br>
Failed SSL Client Binds: 0<br>
SASL Binds: 1466<br>
1458 GSSAPI<br>
8 EXTERNAL<br>
<br>
Directory Manager Binds: 10<br>
Anonymous Binds: 1476<br>
Other Binds: 60657<br>
<br>
<br>
<br>
<br>
<br>
Thanks,<br>
_____________________________________________________<br>
John Moyer<br>
Director, IT Operations<br>
On Aug 27, 2013, at 1:13 PM, Rob Crittenden
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> wrote:<br>
<br>
<blockquote type="cite">John Moyer wrote:<br>
<blockquote type="cite">Is there any way to see what
fields are index'ed?<br>
</blockquote>
<br>
$ ldapsearch -LLL -D 'cn=directory manager' -W -x -b
'cn=index,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config'<br>
<br>
Your best bet is to use the logconv.pl tool to
examine your logs.<br>
<br>
rob<br>
<br>
<blockquote type="cite"><br>
Thanks,<br>
_____________________________________________________<br>
John Moyer<br>
Director, IT Operations<br>
Digital Reasoning Systems, Inc.<br>
<a class="moz-txt-link-abbreviated" href="mailto:John.Moyer@digitalreasoning.com">John.Moyer@digitalreasoning.com</a><br>
Office:<span class="Apple-tab-span" style="white-space:pre"> </span>703.678.2311<br>
Mobile:<span class="Apple-tab-span" style="white-space:pre"> </span>240.460.0023<br>
Fax:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre">
</span>703.678.2312<br>
<a class="moz-txt-link-abbreviated" href="http://www.digitalreasoning.com/">www.digitalreasoning.com</a><br>
<br>
On Aug 27, 2013, at 10:36 AM, John Moyer
<a class="moz-txt-link-rfc2396E" href="mailto:john.moyer@digitalreasoning.com"><john.moyer@digitalreasoning.com></a> wrote:<br>
<br>
<blockquote type="cite">That looks like the output
I just got shown below:<br>
<br>
<br>
dn: cn=mapping tree,cn=config<br>
<br>
dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config<br>
<br>
dn:
cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config<br>
<br>
dn:
cn=<a href="http://metoipa2.example.com/">meToipa2.example.com</a>,cn=replica,cn=dc\3Dexample\<br>
2Cdc\3Dcom,cn=mapping tree,cn=config<br>
nsDS5ReplicatedAttributeList: (objectclass=*) $
EXCLUDE memberof idnssoaserial<br>
entryusn krblastsuccessfulauth
krblastfailedauth krbloginfailedcount<br>
nsDS5ReplicatedAttributeListTotal:
(objectclass=*) $ EXCLUDE entryusn krblasts<br>
uccessfulauth krblastfailedauth
krbloginfailedcount<br>
<br>
<br>
Thanks,<br>
_____________________________________________________<br>
John Moyer<br>
Director, IT Operations<br>
<br>
<br>
On Aug 27, 2013, at 10:14 AM, Rob Crittenden
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> wrote:<br>
<br>
<blockquote type="cite">John Moyer wrote:<br>
<blockquote type="cite">Ok, so we tried to
implement this again, and as soon as we put
on a<br>
server that authenticates heavily the IPA
came to it's knees again.<br>
This time I was able to watch it closely and
try to troubleshoot a lot<br>
more, and also know exactly what server
caused it (Mercurial with help<br>
of bamboo). This runs fine on a normal old
openldap servers. The<br>
user is logging in very quickly and each
time it logs in I can see in<br>
the logs that the krbLastsuccessfullogin
parameter (or whatever it is<br>
called) is updated over and over and over in
the changelog<br>
(/var/lib/dirsrv/slapd-$instanceid/db) those
logs are filling VERY<br>
quickly and then disappear fairly quickly as
well.<br>
<br>
Issue 1: This is causing severe disk latency
which obviously slows<br>
everything down wait times were around 25%+<br>
Issue 2: These changes need to be replicated
to my slave server thus<br>
adding to the mess<br>
<br>
<br>
My question is, why does the IPA server fail
to keep up with the load<br>
when the openLDAP server didn't have an
issue. Indexes?<br>
<br>
<br>
I'm running the following:<br>
<br>
CentOS release 6.4 (Final)<br>
389-ds-base-1.2.11.15-20.el6_4.x86_64<br>
389-ds-base-libs-1.2.11.15-20.el6_4.x86_64<br>
ipa-python-3.0.0-26.el6_4.4.x86_64<br>
ipa-admintools-3.0.0-26.el6_4.4.x86_64<br>
ipa-pki-common-theme-9.0.3-7.el6.noarch<br>
python-iniparse-0.3.1-2.1.el6.noarch<br>
ipa-server-3.0.0-26.el6_4.4.x86_64<br>
ipa-pki-ca-theme-9.0.3-7.el6.noarch<br>
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64<br>
libipa_hbac-1.9.2-82.7.el6_4.x86_64<br>
ipa-client-3.0.0-26.el6_4.4.x86_64<br>
libipa_hbac-python-1.9.2-82.7.el6_4.x86_64<br>
<br>
<br>
So I've implemented this server anyway
(against my better judgement with<br>
these issues and just made the user that
logs into mercurial a local<br>
user instead of IPA).<br>
<br>
Also note before I did that for fun I
implemented a RAM disk to put the<br>
change logs on, and that dropped the wait
time to 0 (except bursts where<br>
it would raise to 30 to write the access
log) but the CPU drove to 100%<br>
trying to keep up with the load. I have
also killed the replication as<br>
well.<br>
<br>
Any help would be appreciated.<br>
<br>
</blockquote>
<br>
krblastsuccessfulauth should be excluded from
replication, though I guess that doesn't
prevent it from ending up in the changelog.<br>
<br>
You can confirm that they are excluded by
searching the agreements:<br>
<br>
$ ldapsearch -LLL -x -b 'cn=mapping
tree,cn=config' -D 'cn=directory manager' -W
nsDS5ReplicatedAttributeList
nsDS5ReplicatedAttributeListTotal<br>
<br>
They should look like:<br>
<br>
nsDS5ReplicatedAttributeList: (objectclass=*)
$ EXCLUDE memberof idnssoaserial entryusn
krblastsuccessfulauth krblastfailedauth
krbloginfailedcount<br>
<br>
nsDS5ReplicatedAttributeListTotal:
(objectclass=*) $ EXCLUDE entryusn
krblastsuccessfulauth krblastfailedauth
krbloginfailedcount<br>
<br>
rob<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote></div><br></div></div></div></blockquote></div><br></div></div></body></html>