What is it about this newer version compared to the old where this is happening. Is it
that our setup is not quite the same? We try to bring all settings forward (except now it
is auto-tuning cache) but it is possible we missed something.
Deborah Crocker, PhD
Systems Engineer III
Office of Information Technology
The University of Alabama
Box 870346
Tuscaloosa, AL 36587
Office 205-348-3758 | Fax 205-348-9393
deborah.crocker(a)ua.edu
-----Original Message-----
From: William Brown <wbrown(a)suse.de>
Sent: Wednesday, June 10, 2020 6:56 PM
To: 389-users(a)lists.fedoraproject.org
Subject: [EXTERNAL] [389-users] Re: Re: Re: Re: new server setup hanging
We have a number of linux hosts authenticating to ldap. Some of them
using SSSD had "enumerate=true",
Yeah, you need to disable enumerate=true, because SSSD will do paged searches and that
will get around some search limits that normally would block that.
As well, you probably should look at turning on "ignore_group_members=true",
because if you don't have that set, then SSSD will enumerate your whole directory too.
which means they run a search for everything every five minutes. Just
one of those will tie up the host. The search is:
filter="(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(uaNetgroupLinuxGid=*))"
only uaNetgroupLinuxGID is unindexed. Again, this causes no problem on our existing
setup.
...
Thread 49 (Thread 0x7fce91cb8700 (LWP 2176)):
#0 0x00007fcf0b3929ff in comp_cmp (s1p=<optimized out>,
s2p=s2p@entry=0x55955e6fa140 "uaUDCid") at
ldap/servers/slapd/attr.c:88
#1 0x00007fcf0b392bc9 in slapi_attr_type_cmp
(a1=a1@entry=0x55945a2b7b90 "uaee121Shell", a2=0x55955e6fa140
"uaUDCid", opt=opt@entry=2) at ldap/servers/slapd/attr.c:122
#2 0x00007fcf0b3944ff in attrlist_find_ex (a=<optimized out>,
type=type@entry=0x55945a2b7b90 "uaee121Shell",
type_name_disposition=type_name_disposition@entry=0x0,
actual_type_name=actual_type_name@entry=0x0,
hint=hint@entry=0x7fce91cb2488) at ldap/servers/slapd/attrlist.c:176
#3 0x00007fcf0b3b7211 in test_presence_filter (pb=pb@entry=0x0,
e=e@entry=0x55955e6ee300, type=0x55945a2b7b90 "uaee121Shell",
verify_access=verify_access@entry=0,
only_check_access=only_check_access@entry=0,
access_check_done=access_check_done@entry=0x7fce91cb25c0) at
ldap/servers/slapd/filterentry.c:355
#4 0x00007fcf0b42997e in vattr_test_filter (pb=pb@entry=0x0,
e=e@entry=0x55955e6ee300, f=f@entry=0x55947509ab80,
filter_type=FILTER_TYPE_PRES, type=<optimized out>) at
ldap/servers/slapd/vattr.c:753
#5 0x00007fcf0b3b6ec4 in slapi_vattr_filter_test_ext_internal
(pb=pb@entry=0x0, e=0x55955e6ee300, f=0x55947509ab80,
verify_access=verify_access@entry=0,
only_check_access=only_check_access@entry=0,
access_check_done=access_check_done@entry=0x7fce91cb2684) at
ldap/servers/slapd/filterentry.c:823
#6 0x00007fcf0b3b7ba6 in slapi_vattr_filter_test_ext
(pb=pb@entry=0x0, e=<optimized out>, f=<optimized out>,
verify_access=verify_access@entry=0,
only_check_access=only_check_access@entry=0) at
ldap/servers/slapd/filterentry.c:771
#7 0x00007fcf0b3b7bf8 in slapi_vattr_filter_test (pb=pb@entry=0x0,
e=<optimized out>, f=<optimized out>,
verify_access=verify_access@entry=0) at
ldap/servers/slapd/filterentry.c:715
#8 0x00007fcf01599e02 in acl__resource_match_aci
(aclpb=aclpb@entry=0x559474f16000, aci=aci@entry=0x55947509a880,
skip_attrEval=skip_attrEval@entry=0,
a_matched=a_matched@entry=0x7fce91cb2bd0) at
ldap/servers/plugins/acl/acl.c:2422
#9 0x00007fcf0159b280 in acl__scan_for_acis (err=<synthetic pointer>,
aclpb=0x559474f16000) at ldap/servers/plugins/acl/acl.c:1974
#10 0x00007fcf0159b280 in acl_access_allowed (pb=<optimized out>,
e=e@entry=0x55955e6ee300, attr=attr@entry=0x5595925e2ea0 "uid",
val=<optimized out>, access=access@entry=2) at
ldap/servers/plugins/acl/acl.c:568
#11 0x00007fcf015ae9f7 in acl_access_allowed_main (pb=<optimized out>,
e=0x55955e6ee300, attrs=<optimized out>, val=<optimized out>,
access=2, flags=<optimized out>, errbuf=0x0) at
ldap/servers/plugins/acl/aclplugin.c:371
#12 0x00007fcf0b3f0cbc in plugin_call_acl_plugin
(pb=pb@entry=0x559475874000, e=e@entry=0x55955e6ee300,
attrs=attrs@entry=0x7fce91cb2d10, val=val@entry=0x0,
access=access@entry=2, flags=flags@entry=0, errbuf=errbuf@entry=0x0)
at ldap/servers/slapd/plugin_acl.c:62
#13 0x00007fcf0b3b638d in test_filter_access
(pb=pb@entry=0x559475874000, e=e@entry=0x55955e6ee300,
attr_type=<optimized out>, attr_val=attr_val@entry=0x0) at
ldap/servers/slapd/filterentry.c:956
#14 0x00007fcf0b3b7082 in slapi_vattr_filter_test_ext_internal
(pb=pb@entry=0x559475874000, e=e@entry=0x55955e6ee300,
f=f@entry=0x559475f39000, verify_access=verify_access@entry=1,
only_check_access=only_check_access@entry=0,
access_check_done=access_check_done@entry=0x7fce91cb2de4) at
ldap/servers/slapd/filterentry.c:855
#15 0x00007fcf0b3b6d31 in vattr_test_filter_list_and (ftype=160,
access_check_done=0x7fce91cb2de4, only_check_access=0,
verify_access=1, flist=<optimized out>, e=0x55955e6ee300,
pb=0x559475874000) at ldap/servers/slapd/filterentry.c:980
#16 0x00007fcf0b3b6d31 in slapi_vattr_filter_test_ext_internal
(pb=pb@entry=0x559475874000, e=0x55955e6ee300, f=<optimized out>,
verify_access=verify_access@entry=1,
only_check_access=only_check_access@entry=0,
access_check_done=access_check_done@entry=0x7fce91cb2de4) at
ldap/servers/slapd/filterentry.c:885
#17 0x00007fcf0b3b7ba6 in slapi_vattr_filter_test_ext
(pb=pb@entry=0x559475874000, e=<optimized out>, f=<optimized out>,
verify_access=verify_access@entry=1,
only_check_access=only_check_access@entry=0) at
ldap/servers/slapd/filterentry.c:771
#18 0x00007fcf0b3b7bf8 in slapi_vattr_filter_test
(pb=pb@entry=0x559475874000, e=<optimized out>, f=<optimized out>,
verify_access=verify_access@entry=1) at
ldap/servers/slapd/filterentry.c:715
#19 0x00007fcf002c0df1 in ldbm_back_next_search_entry_ext
(pb=0x559475874000, use_extension=0) at
ldap/servers/slapd/back-ldbm/ldbm_search.c:1702
#20 0x00007fcf0b3deca6 in iterate (send_result=1, be=0x559459ae7c70,
pr_statp=0x7fce91cb30a4, pagesize=<optimized out>,
pnentries=0x7fce91cb3138, pb=0x559475874000) at
ldap/servers/slapd/opshared.c:1292
#21 0x00007fcf0b3deca6 in send_results_ext
(pb=pb@entry=0x559475874000, nentries=nentries@entry=0x7fce91cb3138,
pagesize=1000, pr_stat=pr_stat@entry=0x7fce91cb30a4, send_result=1) at
ldap/servers/slapd/opshared.c:1645
#22 0x00007fcf0b3e0474 in op_shared_search
(pb=pb@entry=0x559475874000, send_result=send_result@entry=1) at
ldap/servers/slapd/opshared.c:683
#23 0x000055945722cc0e in do_search (pb=pb@entry=0x559475874000) at
ldap/servers/slapd/search.c:352
#24 0x000055945721a98a in connection_dispatch_operation
(pb=0x559475874000, op=0x559592580b40, conn=0x559475186510) at
ldap/servers/slapd/connection.c:651
#25 0x000055945721a98a in connection_threadmain () at
ldap/servers/slapd/connection.c:1793
#26 0x00007fcf091a0c5b in _pt_root (arg=0x559459ba5200) at
../../../nspr/pr/src/pthreads/ptthread.c:201
#27 0x00007fcf08b40ea5 in start_thread (arg=0x7fce91cb8700) at
pthread_create.c:307
#28 0x00007fcf081ec8dd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111
Yep, it's holding the backend lock while applying the filter test.
In a condition like:
"(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(uaNetgroupLinuxGid=*))"
You really need everything indexed because here, this really is going to have to enumerate
*everything* that is an objectClass posix account, and then apply the filtertest. So you
should index uaNetgroupLinuxGid, then the test can be asserted in indexes only which is
significantly faster. I recommend a presence and equality index to be safe.
If you look at the access log and there is any "notes=A", "notes=F",
or "notes=U", you should probably check those queries and ensure that all the
elements of that filter are indexed, and that all the elements of that filter are present
in schema.
Hope that helps,
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email
to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...