<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Crud. That was supposed to have a second comparison log too: I found something in the slapd-FOO-NET/access log. I figured out which conn ID related to a sudo -i that I performed which took longer than expected and grepped for that conn ID: <tt>[26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection from 192.168.208.129 to 192.168.10.111</tt><tt> </tt><tt>[26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"</tt><tt> </tt><tt>[26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 nentries=0 etime=0</tt><tt> </tt><tt> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES</tt><tt> </tt><tt> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3</tt><tt> </tt><tt> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 nentries=0 etime=0</tt><tt> </tt><tt> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL</tt><tt> </tt><tt>[26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 nentries=0 etime=0</tt><tt> </tt><tt> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL</tt><tt> </tt><tt> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 nentries=2 etime=0</tt><tt> </tt><tt> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL</tt><tt> </tt><tt> [26/May/2014:09:09:01 -0400] conn=183751</tt><tt> op=4 RESULT err=0 tag=101 nentries=0 etime=0</tt><tt> </tt><tt> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND</tt><tt> </tt><tt> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1</tt> I think this shows, roughly, a 7 second elapsed time from start to finish, right? Granted, there were other request being serficed during this interval as well, but nothing that looked like outrageous volume. On our faster network, this same exchange went much faster: <tt> </tt><tt>[26/May/2014:09:22:55 -0400] conn=12896 fd=100 slot=100 connection from 192.168.2.13 to 192.168.2.61</tt><tt> </tt><tt>[26/May/2014:09:22:55 -0400] conn=12896 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"</tt><tt> </tt><tt>[26/May/2014:09:22:55 -0400] conn=12896 op=0 RESULT err=0 tag=120 nentries=0 etime=0</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 SSL 128-bit AES</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 op=1 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" method=128 version=3</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me"</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 op=2 SRCH base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(cn=defaults)" attrs=ALL</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 op=2 RESULT err=0 tag=101 nentries=0 etime=0</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 op=3 SRCH base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(|(sudoUser=bretw)(sudoUser=%bretw)(sudoUser=%#10042)(sudoUser=%admins)(sudoUser=%#388800000)(sudoUser=ALL))" attrs=ALL</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 op=3 RESULT err=0 tag=101 nentries=1 etime=0</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 op=4 SRCH base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(sudoUser=+*)" attrs=ALL</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0 tag=101 nentries=0 etime=0</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND</tt><tt> </tt><tt>[26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed - U1</tt> Bret <div class="moz-cite-prefix">On 05/26/2014 09:51 AM, Bret Wortman wrote: </div> <blockquote cite="mid:538346E3.6020601@damascusgrp.com" type="cite"> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> Okay, I found something in the slapd-FOO-NET/access log. I figured out which conn ID related to a sudo -i that I performed which took longer than expected and grepped for that conn ID: [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection from 192.168.208.129 to 192.168.10.111 [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 nentries=0 etime=0 [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 nentries=2 etime=0 [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL [26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 </blockquote> </body> </html>