Paul B. Henson wrote: > We're running MIT kerberos with the ldap backend, specifically 3 > openldap servers doing delta syncrepl. We started having a problem a > while back where once a day the kdc would time out authentication > requests, and finally tracked it down to openldap purging the accesslog. > We currently have the accesslog overlay configured to delete entries > over 7 days old once a day, and it seems that while openldap is > processing the purge the kdc is starved out and unable to process > authentications in a timely fashion. We do (thanks to our ISO) have > account lockout enabled, so every authentication involves not only a > read but a write. > > Is it expected for the accesslog purge to be so disruptive? Is there any > way to tune it so it doesn't overwhelm the system to the point of being > unresponsive? > > Would it be better to purge the accesslog more frequently as to amortize > the work across multiple intervals rather than being concentrated once a > day? Do you have an eq-index on the reqStart attribute as recommended in slapo-accesslog(5)? Note that adding the index later needs re-indexing of the DB. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature