[Freeipa-users] Replication causing long etimes
Terry Soucy
tsoucy at salesforce.com
Wed Sep 4 18:18:10 UTC 2013
I am experiencing some long execution times, and I'm wondering if anyone
can give me some insight.
We are running FreeIPA 3.0.0-26 on Redhat 6.1. We have multimaster
replication running among 4 hosts. We have approv 100 users, 25 usergroups
and hostgroups, and approx 2000 hosts in a single domain. We noticed that
some DNS queries were timing out periodically. When I investigated further,
I found several of the DNS requests in the access log
[04/Sep/2013:13:42:24 -0300] conn=122491 op=3888679 SRCH
base="idnsName=compute-
1.amazonaws.com,idnsname=prod.ca2.example.com,cn=dns,dc=example,dc=com"
scope=0 filter="
(objectClass=idnsRecord)" attrs=ALL
[04/Sep/2013:13:42:44 -0300] conn=122491 op=3888679 RESULT err=32 tag=101
nentri
es=0 etime=20
There are a lot of those, as expected, since we first noticed this issue
with DNS.
Then I found this ...
[04/Sep/2013:13:42:23 -0300] conn=368561 op=9 EXT
oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session"
[04/Sep/2013:13:42:44 -0300] conn=368561 op=9 RESULT err=0 tag=120
nentries=0 etime=22
and lots of this ...
[04/Sep/2013:13:42:26 -0300] conn=368604 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[04/Sep/2013:13:42:44 -0300] conn=368604 op=0 RESULT err=14 tag=97
nentries=0 etime=18, SASL bind in progress
So, is my SASL bind causing the replication to go long, or is the
replication taking a long time and causing the hang? Is there a way I can
see the details of the replication? There is not a lot of changes going on
that require replication with regards to dns, users, hosts, etc, so I'm not
sure why it would take so long. Also, can I remove the SASL bind and just
add a replication user to the dse.ldif to remove the requirement for
kerberos for replication?
Terry
--
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445 (c) 506.609.3247 | (e) tsoucy at salesforce.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130904/96cca096/attachment.htm>
More information about the Freeipa-users
mailing list