[Freeipa-users] Replication causing long etimes
Rich Megginson
rmeggins at redhat.com
Wed Sep 4 18:28:45 UTC 2013
On 09/04/2013 12:18 PM, Terry Soucy wrote:
> I am experiencing some long execution times, and I'm wondering if
> anyone can give me some insight.
>
> We are running FreeIPA 3.0.0-26 on Redhat 6.1. We have multimaster
> replication running among 4 hosts. We have approv 100 users, 25
> usergroups and hostgroups, and approx 2000 hosts in a single domain.
> We noticed that some DNS queries were timing out periodically. When I
> investigated further, I found several of the DNS requests in the
> access log
>
> [04/Sep/2013:13:42:24 -0300] conn=122491 op=3888679 SRCH
> base="idnsName=compute-
> 1.amazonaws.com <http://1.amazonaws.com>,idnsname=prod.ca2.example.com
> <http://prod.ca2.example.com>,cn=dns,dc=example,dc=com" scope=0 filter="
> (objectClass=idnsRecord)" attrs=ALL
> [04/Sep/2013:13:42:44 -0300] conn=122491 op=3888679 RESULT err=32
> tag=101 nentri
> es=0 etime=20
>
> There are a lot of those, as expected, since we first noticed this
> issue with DNS.
>
> Then I found this ...
>
> [04/Sep/2013:13:42:23 -0300] conn=368561 op=9 EXT
> oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session"
> [04/Sep/2013:13:42:44 -0300] conn=368561 op=9 RESULT err=0 tag=120
> nentries=0 etime=22
>
> and lots of this ...
>
> [04/Sep/2013:13:42:26 -0300] conn=368604 op=0 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [04/Sep/2013:13:42:44 -0300] conn=368604 op=0 RESULT err=14 tag=97
> nentries=0 etime=18, SASL bind in progress
>
>
> So, is my SASL bind causing the replication to go long, or is the
> replication taking a long time and causing the hang?
I don't know. DNS could also be related.
If you can, please try to get a stack trace of the ns-slapd process
during the time interval during which nothing appears to be happening.
http://port389.org/wiki/FAQ#Debugging_Hangs
> Is there a way I can see the details of the replication?
You can use the replication logging level
http://port389.org/wiki/FAQ#Troubleshooting
But I don't know if the problem is specifically replication related
> There is not a lot of changes going on that require replication with
> regards to dns, users, hosts, etc, so I'm not sure why it would take
> so long. Also, can I remove the SASL bind and just add a replication
> user to the dse.ldif to remove the requirement for kerberos for
> replication?
You technically could with 389, but I don't know if that is supported
with IPA.
>
> Terry
> --
> Terry Soucy - Systems Engineer
> Salesforce MarketingCloud - http://www.salesforce.com
> (o) 506.631.7445 (c) 506.609.3247 | (e) tsoucy at salesforce.com
> <mailto:tsoucy at salesforce.com>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130904/9ffa79b3/attachment.htm>
More information about the Freeipa-users
mailing list