This is a multi-part message in MIME format. --------------040100030100010805040809 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
Here is a sanitized copy of my slapd.conf. I'm still working on the logs and gdb backtrace. Let me know if you notice anything out of sorts.
Thanks!
Mark
masarati@aero.polimi.it wrote:
Matthew and Hallvard,
Matthew Backes wrote:
Large collections of values can be slow for some uses; have you looked at the sortvals option? (needs a db reload with slapcat+slapadd)
Thanks for your suggestion to add the sortvals option. I've done so and still experience the hangs.
memberUid: t2479
That doesn't seem terribly large, no. sortvals is more pertinent if you have 100k+ values on the attribute...
Exactly what I was thinking. This doesn't seem like a really large number, but it's consistently hanging for us.
A consistent hang calls for some deadlock. Your configuration might be tweaking some strange interoperation of functionalities that result in the deadlock. So, rather than the logs, the configuration would be of paramount interest. We are obviously looking for details, so don't omit anything; rather sanitize sensitive information, like passwords. I'm specifically thinking about some strange interoperation between databases, overlays, ACLs and so.
p.
--------------040100030100010805040809 Content-Type: text/plain; name="slapd.conf" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="slapd.conf"
# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options.
####################################################################### # Global Directives:
# Features to permit #allow bind_v2
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/krb5-kdc.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/automount.schema include /etc/ldap/schema/samba.schema
# Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.master.pid
# List of arguments that were passed to the server argsfile /var/run/slapd.master.args
# Read slapd.conf(5) for possible values loglevel stats sync
# Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov moduleload ppolicy
####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb
####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other>
####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb
# The base of your directory in database #1 suffix "dc=cs,dc=brown,dc=edu"
# number of entries to keep in cache cachesize 10000
# time between database checkpoints checkpoint 128 15
# Where the database file are physically stored for database #1 directory "/sysvol/ldap/db"
# Indexing options for database #1 index default eq index cn,sn,givenName index uid,uidNumber,gidNumber,memberNisNetGroup index automountKey,automountMapName,memberUid,uniqueMember,homeDirectory index contextCSN,entryCSN,entryUUID,objectClass
index mail eq,sub
# multi-valued attributes that should always be maintained in sorted order sortvals memberUid sortvals nisNetgroupTriple
# Max number of anonymous sessions conn_max_pending 1000
# Save the time that the entry gets modified, for database #1 lastmod on
overlay syncprov syncprov-checkpoint 100 5 syncprov-sessionlog 100
###################################################################### # CS dept config ######################################################################
# TLS Config TLSCertificateFile /sysvol/ldap/config/ldapmaster-cert.pem TLSCertificateKeyFile /sysvol/ldap/config/ldapmaster-key.pem TLSCACertificateFile /usr/share/ca-certificates/cs.brown.edu/cs.brown.edu.crt TLSVerifyClient allow
# CS dept SASL config sasl-realm cs.brown.edu sasl-host ldapmaster.cs.brown.edu
# This is a bit of a hack to restrict the SASL mechanisms that the server # advertises to just GSSAPI. Otherwise it also advertises DIGEST-MD5, # which the clients prefer. Then you have to add "-Y GSAPPI" to all of # your ldapsearch/ldapmodify command lines, which is annoying. The default # for this is noanonymous,noplain so the addition of noactive is what makes # DIGEST-MD5 and others go away. sasl-secprops noanonymous,noplain,noactive
# Map SASL authentication DNs to LDAP DNs. This leaves <username>/root # principals untouched saslRegexp uid=([^/]*),cn=cs.brown.edu,cn=GSSAPI,cn=auth uid=$1,ou=people,dc=cs,dc=brown,dc=edu # This should be a ^ plus, not a star, but slapd won't accept it
# Access controls access to * attrs=userPassword by ssf=128 anonymous auth by ssf=128 dn.regex="uid=.*/root,cn=cs.brown.edu,cn=GSSAPI,cn=auth" write by ssf=128 dn="cn=sync,dc=cs,dc=brown,dc=edu" write by ssf=128 self write by * none
# The */root dn has full write access, everyone else can read everything. access to * by ssf=128 dn.regex="uid=.*/root,cn=cs.brown.edu,cn=GSSAPI,cn=auth" write by ssf=128 dn="uid=.*,ou=people,dc=cs,dc=brown,dc=edu,cn=GSSAPI,cn=auth" read by * read
# Specify default password policies overlay ppolicy ppolicy_default "cn=password,ou=policies,dc=cs,dc=brown,dc=edu"
password-hash {SSHA}
sizelimit unlimited timelimit unlimited
--------------040100030100010805040809--