[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6334) hang during ldapmodify
This is a multi-part message in MIME format.
--------------040100030100010805040809
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Here is a sanitized copy of my slapd.conf. I'm still working on the
logs and gdb backtrace. Let me know if you notice anything out of sorts.
Thanks!
Mark
masarati@aero.polimi.it wrote:
>> Matthew and Hallvard,
>>
>> Matthew Backes wrote:
>>> Large collections of values can be slow for some uses; have you looked
>>> at the sortvals option? (needs a db reload with slapcat+slapadd)
>> Thanks for your suggestion to add the sortvals option. I've done so and
>> still experience the hangs.
>>
>>>> memberUid: t2479
>>> That doesn't seem terribly large, no. sortvals is more pertinent if you
>>> have 100k+ values on the attribute...
>> Exactly what I was thinking. This doesn't seem like a really large
>> number, but it's consistently hanging for us.
>
> A consistent hang calls for some deadlock. Your configuration might be
> tweaking some strange interoperation of functionalities that result in the
> deadlock. So, rather than the logs, the configuration would be of
> paramount interest. We are obviously looking for details, so don't omit
> anything; rather sanitize sensitive information, like passwords. I'm
> specifically thinking about some strange interoperation between databases,
> overlays, ACLs and so.
>
> p.
>
--------------040100030100010805040809
Content-Type: text/plain;
name="slapd.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="slapd.conf"
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/krb5-kdc.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/automount.schema
include /etc/ldap/schema/samba.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.master.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.master.args
# Read slapd.conf(5) for possible values
loglevel stats sync
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload syncprov
moduleload ppolicy
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=cs,dc=brown,dc=edu"
# number of entries to keep in cache
cachesize 10000
# time between database checkpoints
checkpoint 128 15
# Where the database file are physically stored for database #1
directory "/sysvol/ldap/db"
# Indexing options for database #1
index default eq
index cn,sn,givenName
index uid,uidNumber,gidNumber,memberNisNetGroup
index automountKey,automountMapName,memberUid,uniqueMember,homeDirectory
index contextCSN,entryCSN,entryUUID,objectClass
index mail eq,sub
# multi-valued attributes that should always be maintained in sorted order
sortvals memberUid
sortvals nisNetgroupTriple
# Max number of anonymous sessions
conn_max_pending 1000
# Save the time that the entry gets modified, for database #1
lastmod on
overlay syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 100
######################################################################
# CS dept config
######################################################################
# TLS Config
TLSCertificateFile /sysvol/ldap/config/ldapmaster-cert.pem
TLSCertificateKeyFile /sysvol/ldap/config/ldapmaster-key.pem
TLSCACertificateFile /usr/share/ca-certificates/cs.brown.edu/cs.brown.edu.crt
TLSVerifyClient allow
# CS dept SASL config
sasl-realm cs.brown.edu
sasl-host ldapmaster.cs.brown.edu
# This is a bit of a hack to restrict the SASL mechanisms that the server
# advertises to just GSSAPI. Otherwise it also advertises DIGEST-MD5,
# which the clients prefer. Then you have to add "-Y GSAPPI" to all of
# your ldapsearch/ldapmodify command lines, which is annoying. The default
# for this is noanonymous,noplain so the addition of noactive is what makes
# DIGEST-MD5 and others go away.
sasl-secprops noanonymous,noplain,noactive
# Map SASL authentication DNs to LDAP DNs. This leaves <username>/root
# principals untouched
saslRegexp uid=([^/]*),cn=cs.brown.edu,cn=GSSAPI,cn=auth uid=$1,ou=people,dc=cs,dc=brown,dc=edu
# This should be a ^ plus, not a star, but slapd won't accept it
# Access controls
access to * attrs=userPassword
by ssf=128 anonymous auth
by ssf=128 dn.regex="uid=.*/root,cn=cs.brown.edu,cn=GSSAPI,cn=auth" write
by ssf=128 dn="cn=sync,dc=cs,dc=brown,dc=edu" write
by ssf=128 self write
by * none
# The */root dn has full write access, everyone else can read everything.
access to *
by ssf=128 dn.regex="uid=.*/root,cn=cs.brown.edu,cn=GSSAPI,cn=auth" write
by ssf=128 dn="uid=.*,ou=people,dc=cs,dc=brown,dc=edu,cn=GSSAPI,cn=auth" read
by * read
# Specify default password policies
overlay ppolicy
ppolicy_default "cn=password,ou=policies,dc=cs,dc=brown,dc=edu"
password-hash {SSHA}
sizelimit unlimited
timelimit unlimited
--------------040100030100010805040809--