[Fedora-directory-devel] aci cache overflown problem - suggested patch for acl.h

Rich Megginson rmeggins at redhat.com
Tue Mar 31 15:03:45 UTC 2009 

Audun Røe wrote:
>
> Hey,
>
>  
>
> We're in the process of replacing an old Sun Directory Server 5.2 
> deployment. In our preliminary tests using FDS 1.1.0 (this was back in 
> Q2 2008 or so), we saw lots of "aci cache overflown" messages in the 
> log for some users, and performance would basically drop to 
> unacceptable levels. I previously posted about the issue to the 
> user-list in early May 2008, though in retrospect the mail probably 
> should've gone here. It's archived at 
> http://www.mailinglistarchive.com/fedora-directory-users@redhat.com/msg02612.html 
> if anyone's interested)
>
>  
>
> Anyway, searching the cvs tree for the log message and bumping 
> ACLPB_MAX_SELECTED_ACLS from 200 to 2000 just happened to solve our 
> problem. The change was made as a long-shot in the dark without any 
> insight into the code-base, i.e. we don't really have any broad 
> understanding of how and where it's used. It just seemingly works. 
> During our testing, we have not seen side-effects though we don't 
> really have any experience with the unmodified server. It just wasn't 
> usable for us with the legacy ldap-structure we have.
>
>  
>
> I've attached a patch for the one-line change we made, based on the 
> source RPM for fds-base-1.1.3. What are your thoughts on including 
> this in future revisions? If the patch is unacceptable, would you be 
> more prepared to accept a contribution making this configurable from 
> dse.ldif?
>
Yes.  This seems like something that should be configurable.  We would 
welcome your contribution.
Step 1) Please review http://directory.fedoraproject.org/wiki/Contributing
Step 2) Please open a bug in bugzilla.redhat.com for Fedora Directory 
Server - you can attach patches, tests, etc. to the bug (after we 
receive confirmation that you have signed and submitted the CLA)
>
> Assuming neither option is acceptable and the current value of 200 is 
> locked, I would very much like to hear the reasoning, as obviously, 
> even if things seem to work, the apparent shortage of other people 
> bumping into this problem is slightly worrying (our directory has 
> upwards of 1500 aci attrs - count made with a quick grep -c "aci:" on 
> an ldif exported from the old Sun ldap). 
>
>  
>
>  
>
> --
>
> Audun Røe
>
> mail: audun.roe at kantega.no
>
>  
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-devel/attachments/20090331/11810aa1/attachment.bin

More information about the 389-devel mailing list