<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 09/16/2013 07:57 PM, Dmitri Pal
      wrote:<br>
    </div>
    <blockquote cite="mid:5237B70A.5050307@redhat.com" type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      On 09/16/2013 12:02 PM, KodaK wrote:
      <blockquote
cite="mid:CAA9J0ZGCqwDcRMFqoru2wi1-xniLpygP57jEkfWCeg5-Vscc8g@mail.gmail.com"
        type="cite">
        <div dir="ltr">Yet another AIX related problem:
          <div><br>
          </div>
          <div>The AIX LDAP client is called secldapclntd (sure, they
            could make it more awkward, but the budget ran out.)  I'm
            running into the issue detailed here:</div>
          <div><br>
          </div>
          <div><a moz-do-not-send="true"
              href="http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344">http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344</a></div>
          <div><br>
          </div>
          <div>"<span style="color:rgb(51,51,51)">If an LDAP server
              fails to answer an LDAP query, </span><span
              style="color:rgb(51,51,51)">secldapclntd caches the </span><span
              style="color:rgb(51,51,51)">non-answered query negatively.
              This may happen if the </span><span
              style="color:rgb(51,51,51)">LDAP server is </span><span
              style="color:rgb(51,51,51)">down for example. After the
              LDAP server is back again </span><span
              style="color:rgb(51,51,51)">secldapclntd </span><span
              style="color:rgb(51,51,51)">will use the negative cache
              entry and the application </span><span
              style="color:rgb(51,51,51)">initiating the </span><span
              style="color:rgb(51,51,51)">original query will still fail
              until the cache entry </span><span
              style="color:rgb(51,51,51)">expires."</span></div>
          <div><br>
          </div>
          <div>IBM is working on porting the fix to our specific TL and
            SP levels.</div>
          <div><br>
          </div>
          <div>What I'm concerned with here, though, is *why* is it
            timing out?  I don't know what the current timeout values
            are (AIX sucks, etc.)</div>
          <div><br>
          </div>
          <div>I don't see timeout issues on my Linux boxes, which leads
            me to believe that either the sssd timouts are longer or
            that sssd is just more robust when dealing with timeouts.</div>
          <div><br>
          </div>
          <div> I believe I'm seeing similar behavior with LDAP sudo on
            AIX as well, because I occasionally have to re-run sudo
            commands because they initially fail (and I know I'm using
            the right passwords.)  However, sudo doesn't appear to have
            a cache (or it handles caching better.)</div>
          <div><br>
          </div>
          <div>Does anyone have any troubleshooting suggestions?  Any
            general "speed things up" suggestions on the IPA side?</div>
          <div><br>
          </div>
          <div>Thanks,</div>
          <div><br>
          </div>
          <div>--Jason<br clear="all">
            <div><br>
            </div>
            -- <br>
            The government is going to read our mail anyway, might as
            well make it tough for them.  GPG Public key ID:  B6A1A7C6 </div>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
      </blockquote>
      <br>
      Is the server FreeIPA?<br>
      Can see in the server logs what is actually happening is it the
      server that really takes time or there is a network connectivity
      issue or FW is dropping packets?<br>
      I would really start with the server side logs.<br>
    </blockquote>
    <br>
    As far as 389 goes, run logconv.pl against the access logs in
    /var/log/dirsrv/slapd-DOMAIN-COM<br>
    <blockquote cite="mid:5237B70A.5050307@redhat.com" type="cite"> <br>
      <br>
      <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>


</pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
    </blockquote>
    <br>
  </body>
</html>