Dmitri Pal wrote: > On 12/04/2014 09:41 AM, Rich Megginson wrote: >> On 12/04/2014 08:39 AM, Rich Megginson wrote: >>> On 12/04/2014 01:45 AM, Petr Spacek wrote: >>>> On 4.12.2014 05:02, Janelle wrote: >>>>> Thanks -- still a bit strange that it did not show up on some >>>>> servers - vary >>>>> random and intermittent. >>>>> >>>>> BTW - a bit of information others might find useful. If you try to >>>>> use the >>>>> "LDAP" portion of IPA for authentication - rather than fulling >>>>> installing the >>>>> IPA client and using Kerberos - the servers running ds-389 do not >>>>> do well in >>>>> handling the load. In other words - a few hundred hosts trying to >>>>> authenticate >>>>> via LDAP only will send CPU through the roof and crashes the slapd >>>>> process >>>>> often. >>> >>> That should not happen. >>> For crashes, we would need to look at some stack traces: >>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes >>> For situations when the CPU is through the roof, that is very similar >>> to debugging hangs: >>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs >> >> Sorry, forgot to mention that since this is IPA you'll also need to >> install the ipa-debuginfo and slapi-nis-debuginfo packages. >> > > I would also add a question about your client configuration. > For example if you use SSSD with enumerate=true for your clients then > yes you will get your environment to the knees pretty quickly.
I assumed SSSD wasn't being used at all which begs the question: what is? nss_ldap? Is nslcd being used? What is hitting LDAP, only auth or something else (e.g. sudo, automount). rob > >>> >>>>> Since IPA is supposed to handle all options, I guess I am >>>>> disappointed. >>>>> >>>>> regards >>>>> ~J >>>>> >>>>> >>>>> On 12/3/14 2:56 PM, Dmitri Pal wrote: >>>>>> On 12/03/2014 04:40 PM, Janelle wrote: >>>>>>> Here is a bit of baffling one on 4.0.5: >>>>>>> >>>>>>> Replica install p11-kit??? >>>>>> This is a part of the DNSSEC set of packages. >>>>>> >>>>>>> Connection from master to replica is OK. >>>>>>> >>>>>>> Connection check OK >>>>>>> p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported >>>>>>> attribute >>>>>>> Configuring NTP daemon (ntpd) >>>>>>> [1/4]: stopping ntpd >>>>>>> [2/4]: writing configuration >>>>>>> ... >>>>>>> >>>>>>> Your system may be partly configured. >>>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>> >>>>>>> LDAP error: UNWILLING_TO_PERFORM >>>>>>> database is read-only >>>>>>> >>>>>>> >>>>>>> Thoughts? >>>> We need more information about your problem. >>>> >>>> As always, please start with information requested on >>>> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs >>>> >>>> /var/log/ipa*.log from affected replica will be invaluable (along >>>> with exact >>>> package version numbers [including p11-kit] and repo configuration). >>>> >>> >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
