<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 09/04/2013 12:18 PM, Terry Soucy
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAFjztcFdAcu6RTJKBW4Q9BTqMEO0CS_Qta+vVmKd=6ALR7SwjQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">I am experiencing some long execution times, and
        I'm wondering if anyone can give me some insight.
        <div><br>
        </div>
        <div>We are running FreeIPA 3.0.0-26 on Redhat 6.1.  We have
          multimaster replication running among 4 hosts. We have approv
          100 users, 25 usergroups and hostgroups, and approx 2000 hosts
          in a single domain.  We noticed that some DNS queries were
          timing out periodically. When I investigated further, I found
          several of the DNS requests in the access log</div>
        <div><br>
        </div>
        <div>
          <div>[04/Sep/2013:13:42:24 -0300] conn=122491 op=3888679 SRCH
            base="idnsName=compute-</div>
          <div><a moz-do-not-send="true" href="http://1.amazonaws.com">1.amazonaws.com</a>,idnsname=<a
              moz-do-not-send="true" href="http://prod.ca2.example.com">prod.ca2.example.com</a>,cn=dns,dc=example,dc=com"
            scope=0 filter="</div>
          <div>(objectClass=idnsRecord)" attrs=ALL</div>
          <div>[04/Sep/2013:13:42:44 -0300] conn=122491 op=3888679
            RESULT err=32 tag=101 nentri</div>
          <div>es=0 etime=20</div>
          <div><br>
          </div>
          <div>There are a lot of those, as expected, since we first
            noticed this issue with DNS.</div>
          <div><br>
          </div>
          <div>Then I found this ...</div>
          <div><br>
          </div>
          <div>
            <div>[04/Sep/2013:13:42:23 -0300] conn=368561 op=9 EXT
              oid="2.16.840.1.113730.3.5.5" name="Netscape Replication
              End Session"</div>
            <div>
              [04/Sep/2013:13:42:44 -0300] conn=368561 op=9 RESULT err=0
              tag=120 nentries=0 etime=22</div>
          </div>
          <div><br>
          </div>
          <div>and lots of this ...</div>
          <div><br>
          </div>
          <div>
            <div>[04/Sep/2013:13:42:26 -0300] conn=368604 op=0 BIND
              dn="" method=sasl version=3 mech=GSSAPI</div>
            <div>[04/Sep/2013:13:42:44 -0300] conn=368604 op=0 RESULT
              err=14 tag=97 nentries=0 etime=18, SASL bind in progress</div>
          </div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div>So, is my SASL bind causing the replication to go long,
            or is the replication taking a long time and causing the
            hang?</div>
        </div>
      </div>
    </blockquote>
    <br>
    I don't know.  DNS could also be related.<br>
    <br>
    If you can, please try to get a stack trace of the ns-slapd process
    during the time interval during which nothing appears to be
    happening.<br>
    <br>
    <a class="moz-txt-link-freetext" href="http://port389.org/wiki/FAQ#Debugging_Hangs">http://port389.org/wiki/FAQ#Debugging_Hangs</a><br>
    <br>
    <blockquote
cite="mid:CAFjztcFdAcu6RTJKBW4Q9BTqMEO0CS_Qta+vVmKd=6ALR7SwjQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>Is there a way I can see the details of the replication?</div>
        </div>
      </div>
    </blockquote>
    <br>
    You can use the replication logging level<br>
    <a class="moz-txt-link-freetext" href="http://port389.org/wiki/FAQ#Troubleshooting">http://port389.org/wiki/FAQ#Troubleshooting</a><br>
    <br>
    But I don't know if the problem is specifically replication related<br>
    <blockquote
cite="mid:CAFjztcFdAcu6RTJKBW4Q9BTqMEO0CS_Qta+vVmKd=6ALR7SwjQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>There is not a lot of changes going on that require
            replication with regards to dns, users, hosts, etc, so I'm
            not sure why it would take so long.  Also, can I remove the
            SASL bind and just add a replication user to the dse.ldif to
            remove the requirement for kerberos for replication?</div>
        </div>
      </div>
    </blockquote>
    <br>
    You technically could with 389, but I don't know if that is
    supported with IPA.<br>
    <br>
    <blockquote
cite="mid:CAFjztcFdAcu6RTJKBW4Q9BTqMEO0CS_Qta+vVmKd=6ALR7SwjQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div><br>
          </div>
          <div>Terry</div>
          -- <br>
          <div dir="ltr">Terry Soucy - Systems Engineer<br>
            Salesforce MarketingCloud - <a moz-do-not-send="true"
              href="http://www.salesforce.com" target="_blank">http://www.salesforce.com</a><br>
            (o) 506.631.7445 (c) 506.609.3247 | (e) <a
              moz-do-not-send="true" href="mailto:tsoucy@salesforce.com"
              target="_blank">tsoucy@salesforce.com</a></div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
    </blockquote>
    <br>
  </body>
</html>