On 09/04/2013 12:18 PM, Terry Soucy wrote:
I am experiencing some long execution times, and I'm wondering if
anyone can give me some insight.
We are running FreeIPA 3.0.0-26 on Redhat 6.1. We have multimaster
replication running among 4 hosts. We have approv 100 users, 25
usergroups and hostgroups, and approx 2000 hosts in a single domain.
We noticed that some DNS queries were timing out periodically. When I
investigated further, I found several of the DNS requests in the
access log
[04/Sep/2013:13:42:24 -0300] conn=122491 op=3888679 SRCH
base="idnsName=compute-
1.amazonaws.com <http://1.amazonaws.com>,idnsname=prod.ca2.example.com
<http://prod.ca2.example.com>,cn=dns,dc=example,dc=com" scope=0 filter="
(objectClass=idnsRecord)" attrs=ALL
[04/Sep/2013:13:42:44 -0300] conn=122491 op=3888679 RESULT err=32
tag=101 nentri
es=0 etime=20
There are a lot of those, as expected, since we first noticed this
issue with DNS.
Then I found this ...
[04/Sep/2013:13:42:23 -0300] conn=368561 op=9 EXT
oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session"
[04/Sep/2013:13:42:44 -0300] conn=368561 op=9 RESULT err=0 tag=120
nentries=0 etime=22
and lots of this ...
[04/Sep/2013:13:42:26 -0300] conn=368604 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[04/Sep/2013:13:42:44 -0300] conn=368604 op=0 RESULT err=14 tag=97
nentries=0 etime=18, SASL bind in progress
So, is my SASL bind causing the replication to go long, or is the
replication taking a long time and causing the hang?
I don't know. DNS could also be related.
If you can, please try to get a stack trace of the ns-slapd process
during the time interval during which nothing appears to be happening.
http://port389.org/wiki/FAQ#Debugging_Hangs
Is there a way I can see the details of the replication?
You can use the replication logging level
http://port389.org/wiki/FAQ#Troubleshooting
But I don't know if the problem is specifically replication related
There is not a lot of changes going on that require replication with
regards to dns, users, hosts, etc, so I'm not sure why it would take
so long. Also, can I remove the SASL bind and just add a replication
user to the dse.ldif to remove the requirement for kerberos for
replication?
You technically could with 389, but I don't know if that is supported
with IPA.
Terry
--
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445 (c) 506.609.3247 | (e) [email protected]
<mailto:[email protected]>
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
