What type of indexes do you have for your accesslog? Any warning about missing index in syslog?
>>> "Paul B. Henson" <[email protected]> schrieb am 04.11.2015 um 04:14 in >>> Nachricht <[email protected]>: > We're running MIT kerberos with the ldap backend, specifically 3 > openldap servers doing delta syncrepl. We started having a problem a > while back where once a day the kdc would time out authentication > requests, and finally tracked it down to openldap purging the accesslog. > We currently have the accesslog overlay configured to delete entries > over 7 days old once a day, and it seems that while openldap is > processing the purge the kdc is starved out and unable to process > authentications in a timely fashion. We do (thanks to our ISO) have > account lockout enabled, so every authentication involves not only a > read but a write. > > Is it expected for the accesslog purge to be so disruptive? Is there any > way to tune it so it doesn't overwhelm the system to the point of being > unresponsive? > > Would it be better to purge the accesslog more frequently as to amortize > the work across multiple intervals rather than being concentrated once a > day? > > Thanks for any suggestions...
