<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09/16/2013 07:57 PM, Dmitri Pal
wrote:<br>
</div>
<blockquote cite="mid:5237B70A.5050307@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 09/16/2013 12:02 PM, KodaK wrote:
<blockquote
cite="mid:CAA9J0ZGCqwDcRMFqoru2wi1-xniLpygP57jEkfWCeg5-Vscc8g@mail.gmail.com"
type="cite">
<div dir="ltr">Yet another AIX related problem:
<div><br>
</div>
<div>The AIX LDAP client is called secldapclntd (sure, they
could make it more awkward, but the budget ran out.) I'm
running into the issue detailed here:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344">http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344</a></div>
<div><br>
</div>
<div>"<span style="color:rgb(51,51,51)">If an LDAP server
fails to answer an LDAP query, </span><span
style="color:rgb(51,51,51)">secldapclntd caches the </span><span
style="color:rgb(51,51,51)">non-answered query negatively.
This may happen if the </span><span
style="color:rgb(51,51,51)">LDAP server is </span><span
style="color:rgb(51,51,51)">down for example. After the
LDAP server is back again </span><span
style="color:rgb(51,51,51)">secldapclntd </span><span
style="color:rgb(51,51,51)">will use the negative cache
entry and the application </span><span
style="color:rgb(51,51,51)">initiating the </span><span
style="color:rgb(51,51,51)">original query will still fail
until the cache entry </span><span
style="color:rgb(51,51,51)">expires."</span></div>
<div><br>
</div>
<div>IBM is working on porting the fix to our specific TL and
SP levels.</div>
<div><br>
</div>
<div>What I'm concerned with here, though, is *why* is it
timing out? I don't know what the current timeout values
are (AIX sucks, etc.)</div>
<div><br>
</div>
<div>I don't see timeout issues on my Linux boxes, which leads
me to believe that either the sssd timouts are longer or
that sssd is just more robust when dealing with timeouts.</div>
<div><br>
</div>
<div> I believe I'm seeing similar behavior with LDAP sudo on
AIX as well, because I occasionally have to re-run sudo
commands because they initially fail (and I know I'm using
the right passwords.) However, sudo doesn't appear to have
a cache (or it handles caching better.)</div>
<div><br>
</div>
<div>Does anyone have any troubleshooting suggestions? Any
general "speed things up" suggestions on the IPA side?</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>--Jason<br clear="all">
<div><br>
</div>
-- <br>
The government is going to read our mail anyway, might as
well make it tough for them. GPG Public key ID: B6A1A7C6 </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
Is the server FreeIPA?<br>
Can see in the server logs what is actually happening is it the
server that really takes time or there is a network connectivity
issue or FW is dropping packets?<br>
I would really start with the server side logs.<br>
</blockquote>
<br>
As far as 389 goes, run logconv.pl against the access logs in
/var/log/dirsrv/slapd-DOMAIN-COM<br>
<blockquote cite="mid:5237B70A.5050307@redhat.com" type="cite"> <br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>