Paul B. Henson wrote:
We're running MIT kerberos with the ldap backend, specifically 3 openldap servers doing delta syncrepl. We started having a problem a while back where once a day the kdc would time out authentication requests, and finally tracked it down to openldap purging the accesslog. We currently have the accesslog overlay configured to delete entries over 7 days old once a day, and it seems that while openldap is processing the purge the kdc is starved out and unable to process authentications in a timely fashion. We do (thanks to our ISO) have account lockout enabled, so every authentication involves not only a read but a write.
Is it expected for the accesslog purge to be so disruptive? Is there any way to tune it so it doesn't overwhelm the system to the point of being unresponsive?
Would it be better to purge the accesslog more frequently as to amortize the work across multiple intervals rather than being concentrated once a day?
Do you have an eq-index on the reqStart attribute as recommended in slapo-accesslog(5)?
Note that adding the index later needs re-indexing of the DB.
Ciao, Michael.