MMR Dead-Lock
by Joel Levin
Hi List:
We have a multi-master set-up: 1 Primary Master, 1 Cold Master, 3 Consumers.
All usually humming well - however today, there were a number of deadlocks
- like below - 2 of which brought the 1 Primary Master (example below from
'error' logs resulted in master going offline).
Any ideas on where to look on what could have caused the deadlock and the
subsequent taking offline of the Primary Master?
Thanks.
[06/Aug/2015:14:17:22 -0700] eldapubcpostop_mod -
20150806141722[06/Aug/2015:14:17:22 -0700] NSMMReplicationPlugin -
agmt="cn=eldap2" (eldap2:636): Consumer failed to replay cha
nge (uniqueid 67c49201-3c6411e5-97f8dfeb-4acc1d05, CSN
55c3cee4000000010000): Protocol error (2). Will retry later.
[06/Aug/2015:14:17:22 -0700] NSMMReplicationPlugin - agmt="cn=eldap3"
(eldap3:636): Consumer failed to replay change (uniqueid
67c49201-3c6411e5-97f8dfeb-4acc1d05, CSN 55c3cee40
00000010000): Protocol error (2). Will retry later.
[06/Aug/2015:14:17:23 -0700] eldapubcpostop_mod - Opened database
successfully
[06/Aug/2015:14:17:23 -0700] eldapubcpostop_mod -
20150806141723[06/Aug/2015:14:17:23 -0700] eldapubcpostop_mod - Opened
database successfully
[06/Aug/2015:14:17:23 -0700] eldapubcpostop_mod -
20150806141723[06/Aug/2015:14:20:17 -0700] NSMMReplicationPlugin -
changelog program - _cl5WriteOperationTxn: retry (49) the tr
ansaction (csn=55c3cf8e000000010000) failed (rc=-30994 (DB_LOCK_DEADLOCK:
Locker killed to resolve a deadlock))
[06/Aug/2015:14:20:17 -0700] NSMMReplicationPlugin - changelog program -
_cl5WriteOperationTxn: failed to write entry with csn
(55c3cf8e000000010000); db error - -30994 DB_LOCK_
DEADLOCK: Locker killed to resolve a deadlock
[06/Aug/2015:14:20:17 -0700] NSMMReplicationPlugin -
write_changelog_and_ruv: can't add a change for
uid=foobar,ou=org,dc=example,dc=com (uniqid: e62f2d01-3c8011e5-
a838dfeb-4acc1d05, optype: 16) to changelog csn 55c3cf8e000000010000
8 years, 8 months
RHDS query directReports
by Alpesh Shinde
Hi Team,
How to get the directReport values for a particular manager using RHDS queries? I am new to RHDS however have mostly worked on Microsoft AD and there is a powershell cmdlet to get this value. Can someone please help me with this? Or may be direct me to some specific article that can help me? I can query user's manager info.
Regards,
Alpesh
Sent from my iPhone
8 years, 8 months
389-DS poor performance retrieving groups
by ghiureai
<https://www.flowdock.com/app/canfar/access-control/threads/QyygOboGumgx3q...>
We are seeing poor performance from LDAP retrieving 2500-4500 entries
compare with one of our regular RDBMS , here is bellow the result for a
ldapsearch.
We are questioning if for general cn=(.*..) search string , LDAP has to
run a round trip for each subset result entry ?
What cfg needs tuned to see some performance improvements beside cache
mem size ?
ldapsearch -x -s one -H -b 'ou=Groups,ou=ds,dc=cxxx,dc=net' -W -D
'uid=xx,ou=Users,ou=ds,dc=cxxxr,dc=net' 'cn=*MT*' 'cn, nsaccountlock'
<https://www.flowdock.com/app/canfar/access-control/threads/uabfakR5BK-gHR...>
# search result
search: 2
result: 0 Success
# numResponses: 2608
# numEntries: 2607
real 0m19.284s
user 0m0.040s
sys 0m0.052s
8 years, 8 months
File Permissions
by Paul Whitney
I have a several openldap clients. Certs are installed in /etc/openldap/cacerts. I am using server certificates to to establish an SSL connection with the LDAP server. Using PAM LDAP to authenticate users. I would like to test hardening these clients.
1. What are the absolute minimum permissions required for the TLS CERT and TLS KEY?
2. Can the TLS key have a password or must it always be without password?
Thanks,
Paul M. Whitney
E-mail: paul.whitney(a)mac.com
Sent from my browser.
8 years, 8 months
389-DS poor performance retrieving groups
by ghiureai
Mark, would be accepted to accommodate only substring indexes
followed by wild char than ?
aka :cn=abc*,
cn=efg* .... may need couple of this indexes.
Thank you
[389-users] 389-DS poor performance retrieving groups
On 08/05/2015 08:24 AM, Mark Reynolds wrote:
>/
/>/
/>/ On 08/04/2015 11:57 AM, ghiureai wrote:
/>>/ <https://www.flowdock.com/app/canfar/access-control/threads/QyygOboGumgx3q...>
/>>/
/>>/ We are seeing poor performance from LDAP retrieving 2500-4500 entries
/>>/ compare with one of our regular RDBMS , here is bellow the result for
/>>/ a ldapsearch.
/>>/ We are questioning if for general cn=(.*..) search string , LDAP has
/>>/ to run a round trip for each subset result entry ?
/>>/
/>>/ What cfg needs tuned to see some performance improvements beside
/>>/ cache mem size ?
/>>/
/>>/ ldapsearch -x -s one -H -b 'ou=Groups,ou=ds,dc=cxxx,dc=net' -W -D
/>>/ 'uid=xx,ou=Users,ou=ds,dc=cxxxr,dc=net' 'cn=*MT*' 'cn, nsaccountlock'
/>/ Okay so this is probably unindexed, and the requested access log
/>/ snipet will confirm this. If you see notes=U or notes=A then we can
/>/ tune the id scan limit for that search:
/>/
/>/
/>/ Assuming this is the only search that is giving you issues:
/>/
/>/ Example:
/>/
/>/
/>/ # ldapmodify <fill in the required parameters>
/>/ |dn: cn=cn,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
/>/ changetype: modify
/>/ add:|||nsIndexIDListScanLimit|
/>/ nsIndexIDListScanLimit: limit=-1 type=sub values=*mt,mt*
/>/
/>/
/>/
/>/ If there are other substring searches around the "cn" attribute you are having issues with, you can modify this to be:
/>/
/>/ |# ldapmodify <fill in the required parameters>
/>/
/>/ |dn: cn=cn,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
/>/ changetype: modify
/>/ add:|||nsIndexIDListScanLimit|
/>/ nsIndexIDListScanLimit: limit=-1 type=sub|
/I'm on a roll today :-( sorry so this is not going to solve the issue.
There is no way to index or improve this type of search filter's
performance (cn=*mt*). If this is a reoccurring search filter, and your
client can be adjusted to use vlv indexes, then that might be option.
See the admin guide for more info on VLV searches/indexes.
Regards,
Mark
>/
/>
8 years, 8 months
MemberOf plugin beahvior change in 1.3.3.
by Ivanov Andrey (M.)
Hi,
just wanted to share our experience. We've recently migrated from 1.3.2.x
to 1.3.3.x in our production environment (CentOS7, x86_64, three 389ds in
multimaster replication).
So far everything looks fine but we have two issues - one important and the
other is more a documentation flaw/behavior change.
* The important issue - crash at shutdown when ACIs with ip address are
present (https://fedorahosted.org/389/ticket/48233). The possible effect
could be the database corruption and/or replication problems after shutdown
and restart ("replica_check_for_data_reload: Warning: disordely shutdown
for replica dc=example,dc=com. Check if DB RUV needs to be updated"). The
workaround for now is that we are not restarting our 389ds servers :)
** The change of behavior/consistency issue: since memberOf plugin has been
redesigned in 1.3.3 (
http://www.port389.org/docs/389ds/design/memberof-plugin-configuration.html)
its behavior has changed a bit. Previously the plugin added "uniqueMember"
attribute in any case when it was requested and tried to add the "memberOf"
to the linked entry. If "memberOf"was not allowed by schema there was an
error message like this one:
Entry "uid=user1,ou=People,dc=example,dc=com" -- attribute "memberOf" not
allowed
In the version 1.3.3 (both rpm in CentOS 7.1 and compiled from source
1.3.3.12) this behavior has changed - the plugin refuses to add the
uniqueMember attribute if the corresponding linked entry is not allowed to
have the "memberOf" attribute. Example using the standard sample entries
installed with the server (dc=example,dc=com):
Activate memberOf plugin with
nsslapd-pluginEnabled: on
memberofgroupattr: uniquemember
memberofattr: memberOf
Add the following group:
cn=LDAP Test group,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: LDAP Test Group
Try to add the following member (the entry exists and is of
objectClass=inetOrgOPerson):
dn: cn=LDAP Test group,ou=Groups,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=user1,ou=People,dc=example,dc=com
-
The modification of uniqueMember will be refused with error 65 (object
class violation). The error log:
[04/Aug/2015:10:58:17 +0200] - Entry
"uid=user1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed
[04/Aug/2015:10:58:17 +0200] memberof-plugin - memberof_postop_modify:
failed to add dn (cn=LDAP Test group,ou=Groups,dc=example,dc=com) to
target. Error (65)
At the same time if we do "replace" of "uniquemember" instead of "add",
then it works:
dn: cn=LDAP Test group,ou=Groups,dc=example,dc=com
changetype: modify
replace: uniqueMember
uniqueMember: uid=user1,ou=People,dc=example,dc=com
-
The error message in this case is information only and the modification is
not refused:
[04/Aug/2015:11:04:45 +0200] - Entry
"uid=user1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed
So either this change in behavior is intentional and in this case :
- it should be present in release notes/documentation
- it should be consistent - the "replace"operation should not work since
"add" does not work
or, if it is not intentional, it should return to the old behavior - only
informational error message (like with"replace"). In this case, the "add"
operation should be fixed and allowed.
For now, as a workaround we have changed the schema to allow "memberOf"
attribute in all the classes used in entries referenced by "uniqueMember"
in our directory.
Regards,
Andrey
8 years, 8 months
nsDS5Replicatype behaviour when set to "2"
by William Brown
Hi,
I'm reading the documentation about nsDS5replicatype. When this is set to 2,
this is listed as "read-only". Does that mean that the DS instance will reject
or send a referral to the client on add/mod/del operations but will still accept
replica updates? This behaviour isn't made very clear in the documentation is
all, so I want to be sure of how it works.
Sincerely,
--
William Brown <william(a)blackhats.net.au>
8 years, 8 months