Various system components need restricted access so using "cn=directory
manager" is out of the question.
I set nsslapd-errorlog-level=128 (logs acl processing) to dig more into
internals. Here's what I saw:
1.2.11
NSACLPlugin - #### conn=3 op=1 binddn="uid=root,ou=users,o=xxx"
............ cached allow by aci(7)
...
NSACLPlugin - #### conn=3 op=1 binddn="uid=root,ou=users,o=xxx"
.............cached allow by aci(7)
...
1.2.5
NSACLPlugin - #### conn=881 op=1 binddn="uid=root,ou=users,o=xxx"
...........cached allow by aci(7)
.......
NSACLPlugin - #### conn=881 op=1 binddn="uid=root,ou=users,o=xxx"
..........cached context/parent allow
.......
As you can see in 1.2.5, where search returns faster, for first returned
entry there is "cached allow by aci(7)" whereas for every next there's
"cached context/parent allow". In 1.2.11 however there is "cached allow by
aci(7)" for every returned entry. Is this difference of any significance?
Am i missing some king of caching in 1.2.11?
2014-11-24 23:07 GMT+01:00 Rich Megginson <rmeggins(a)redhat.com>:
On 11/24/2014 08:19 AM, Bartek wrote:
Hello
I have an use case where particular search operations on the same data in
1.2.5 and 1.2.11 differ significantly.
1.2.5 is on Centos 5.9 and 1.2.11 on Centos 5.11. I'm asking this as i'm
in the middle of upgrade process and I come across this performance issue.
After feeding both versions with data from the same text dump,
particular search operation takes 0.5s in 1.2.5 to complete whereas in
1.2.11 it takes 6s:
ldapsearch -D 'uid=root,ou=users,o=xxx' -x -b
'uid=someuser,dc=domain,dc=pl,o=xxx' -s subtree -w pass
'(objectClass=someObjectClass)'
There is a set of 40 acls at the dc=pl,o=xxx node and 9 more on
dc=domain,dc=pl,o=xxx. The acl allowing 'uid=root,ou=users,o=xxx' to access
everything is at o=xxx.
I did already manage to figure out that the more acis i remove the
shorter the search operation is. However even with those aci in place,
search on 1.2.5 returns significantly faster.
I would like to ask if there are any factors that would make search
operations longer while jumping from 1.2.5 to 1.2.11?
Not that I know of.
You can rule out acis as the source of the performance issue by using -D
"cn=directory manager" as the bind dn.
Use logconv.pl to analyze your access logs for common problems.
--
Regards
Bartek
--
389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users