[Freeipa-users] Timeout (?) issues
Rich Megginson
rmeggins at redhat.com
Thu Sep 19 19:51:12 UTC 2013
On 09/19/2013 12:57 PM, KodaK wrote:
> Well, this is awkward:
>
> [root at slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l
> 5453936
> [root at slpidml01 slapd-UNIX-xxx-COM]#
Why is it awkward?
>
>
> On Thu, Sep 19, 2013 at 1:48 PM, KodaK <sakodak at gmail.com
> <mailto:sakodak at gmail.com>> wrote:
>
> Thanks. I've been running that against my logs, and this has to
> be abnormal:
>
> err=32 129274 No Such Object
> err=0 10952 Successful Operations
> err=14 536 SASL Bind in Progress
> err=53 39 Unwilling To Perform
> err=49 3 Invalid Credentials (Bad Password)
>
> I'm still trying to figure out why there are so many error 32s.
> Are there any usual suspects I should know about? (That's just
> the current access log, btw.)
>
>
> On Tue, Sep 17, 2013 at 9:01 AM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>
> On 09/16/2013 07:57 PM, Dmitri Pal wrote:
>> On 09/16/2013 12:02 PM, KodaK wrote:
>>> Yet another AIX related problem:
>>>
>>> The AIX LDAP client is called secldapclntd (sure, they could
>>> make it more awkward, but the budget ran out.) I'm running
>>> into the issue detailed here:
>>>
>>> http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344
>>>
>>> "If an LDAP server fails to answer an LDAP query,
>>> secldapclntd caches the non-answered query negatively. This
>>> may happen if the LDAP server is down for example. After the
>>> LDAP server is back again secldapclntd will use the negative
>>> cache entry and the application initiating the original
>>> query will still fail until the cache entry expires."
>>>
>>> IBM is working on porting the fix to our specific TL and SP
>>> levels.
>>>
>>> What I'm concerned with here, though, is *why* is it timing
>>> out? I don't know what the current timeout values are (AIX
>>> sucks, etc.)
>>>
>>> I don't see timeout issues on my Linux boxes, which leads me
>>> to believe that either the sssd timouts are longer or that
>>> sssd is just more robust when dealing with timeouts.
>>>
>>> I believe I'm seeing similar behavior with LDAP sudo on AIX
>>> as well, because I occasionally have to re-run sudo commands
>>> because they initially fail (and I know I'm using the right
>>> passwords.) However, sudo doesn't appear to have a cache
>>> (or it handles caching better.)
>>>
>>> Does anyone have any troubleshooting suggestions? Any
>>> general "speed things up" suggestions on the IPA side?
>>>
>>> Thanks,
>>>
>>> --Jason
>>>
>>> --
>>> The government is going to read our mail anyway, might as
>>> well make it tough for them. GPG Public key ID: B6A1A7C6
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> Is the server FreeIPA?
>> Can see in the server logs what is actually happening is it
>> the server that really takes time or there is a network
>> connectivity issue or FW is dropping packets?
>> I would really start with the server side logs.
>
> As far as 389 goes, run logconv.pl <http://logconv.pl> against
> the access logs in /var/log/dirsrv/slapd-DOMAIN-COM
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> --
> The government is going to read our mail anyway, might as well
> make it tough for them. GPG Public key ID: B6A1A7C6
>
>
>
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130919/f9fe39e2/attachment.htm>
More information about the Freeipa-users
mailing list