Antw: accesslog purge starves kerberos kdc authentications

["Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>]

What type of indexes do you have for your accesslog? Any warning about missing index in syslog?

>>> "Paul B. Henson" <henson@acm.org> schrieb am 04.11.2015 um 04:14 in Nachricht
<20151104031401.GH3408@bender.unx.cpp.edu>:
> We're running MIT kerberos with the ldap backend, specifically 3
> openldap servers doing delta syncrepl. We started having a problem a
> while back where once a day the kdc would time out authentication
> requests, and finally tracked it down to openldap purging the accesslog.
> We currently have the accesslog overlay configured to delete entries
> over 7 days old once a day, and it seems that while openldap is
> processing the purge the kdc is starved out and unable to process
> authentications in a timely fashion. We do (thanks to our ISO) have
> account lockout enabled, so every authentication involves not only a
> read but a write.
> 
> Is it expected for the accesslog purge to be so disruptive? Is there any
> way to tune it so it doesn't overwhelm the system to the point of being
> unresponsive?
> 
> Would it be better to purge the accesslog more frequently as to amortize
> the work across multiple intervals rather than being concentrated once a
> day?
> 
> Thanks for any suggestions...