[Freeipa-users] IPA Query Tuning and a Recovery Question

Dmitri Pal dpal at redhat.com
Tue Sep 10 00:46:57 UTC 2013 

On 09/09/2013 02:26 PM, Rich Megginson wrote:
> On 09/09/2013 11:40 AM, Charlie Derwent wrote:
>>
>> On Mon, Sep 9, 2013 at 5:32 PM, Rich Megginson <rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>> wrote:
>>
>>     On 09/09/2013 10:20 AM, Charlie Derwent wrote:
>>>     Hi,
>>>      
>>>     2 questions, some of our automation accounts are needlessly
>>>     querying the IPA server every time they call a command via sudo.
>>>     This is generating a lot of noise in our access logs. Is there
>>>     any way to ensure certain system accounts don't call out to the
>>>     IPA server for additional groups or sudo permission when
>>>     completing tasks?
>>
>>     What are your client platforms?  Does sssd or newer versions of
>>     sudo cache?
>>
>> The clients are a mix of RHEL and CentOS 5.8 servers, what version am
>> I looking for any kind of caching?
>
> By default, on EL5, sudo has to connect/bind/search/close for every
> single sudo lookup.  I believe there are versions of sssd/sudo that do
> some sort of caching.  I'm not sure if those are available for EL5.

In RHEL 6.4 sudo can be integrated with SSSD that would provide the
caching of the sudo rules on the client.

>
>>
>>>      
>>>     The other question is slightly more embarrassing, one of our
>>>     guys saw /var filling and noticed that
>>>     /var/lib/dirsrv/slapd-EXAMPLE-COM/db/ had a load of "log" files
>>>     which looked like they weren't being tidied.
>>
>>     They are automatically cleaned up.  If you have a lot of updates,
>>     it may take longer.
>>      
>>
>>
>>>     One stupid decision later and I'm now here asking on his behalf
>>>     if there is anyway of restoring the database from a replica or
>>>     is a complete rebuild required?
>>
>>     Just reinit the replica using ipa-replica-manage.
>>
>> Thanks will give it a go tomorrow. 
>>
>>>      
>>>     Second question is obviously a little bit more urgent than the
>>>     first but any advice is greatly appreciated.
>>>      
>>>     Thanks,
>>>     Charlie
>>>      
>>>      
>>>      
>>>      
>>>      
>>>      
>>>
>>>
>>>     _______________________________________________
>>>     Freeipa-users mailing list
>>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130909/106fe7c2/attachment.htm>

More information about the Freeipa-users mailing list