Hi,
Just as an update- we've managed to restore service. It turns out that we had went over the value of 65,535 (66,291) aliases which we think was the root cause of this behaviour suddenly starting.
Although it relates to MDB this ITS sounded very similar: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146;page=10
We started deleting as many aliases as we could but performance only improved slightly. What appears to have fixed it was doing a slapcat of the "pruned" data and re-loading it into the database via slapadd. Having done this searches with deref set to always are now performing as they were before.
Ultimately we've been wanting to move away from both a) hdb and b) aliases for a while but one of our user bases runs a web application that requires them as it doesn't support either groups or modifying it's search filter. Given this incident there might be a push for them to re-evaluate this approach.
On 16/11/15 18:44, Mark Cairney wrote:
Hi Andrew,
Thanks for getting back. I saw your report for mdb actually. I can confirm that I've got "olcDBIndex objectlass eq" set on my servers.
Everyone keeps telling me that about aliases but unfortunately we've got a group of users who require them to act in lieu of groups to support their application i.e. they have OUs filled with aliases back to user accounts in the main user OU.
We've started deleting old/hanging OUs and it's made a small improvement but it's still taking 20-30s per query rather than returning almost instantly like it was before.
On 16/11/15 18:10, Andrew Findlay wrote:
On Mon, Nov 16, 2015 at 03:13:11PM +0000, Mark Cairney wrote:
We're having severe performance issues for any query with alias dereferencing set to "always".
Any query with this causes the CPU to spin up to 100% and if we have a number of these concurrently the machine will become unresponsive.
I hit something similar a while ago using mdb:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146
We're using OpenLDAP 2.4.42 with the old hdb backend.
We do have a large number of aliases (~63,000). Could this be the cause?
It would be worth checking that you have indexed the objectclass attribute.
I prefer to avoid aliases...
Andrew