Various system components need restricted access so using "cn=directory manager" is out of the question.

I set nsslapd-errorlog-level=128 (logs acl processing) to dig more into internals. Here's what I saw:

1.2.11

NSACLPlugin - #### conn=3 op=1 binddn="uid=root,ou=users,o=xxx"
............ cached allow by aci(7)
...
NSACLPlugin - #### conn=3 op=1 binddn="uid=root,ou=users,o=xxx"
.............cached allow by aci(7)
...


1.2.5
NSACLPlugin - #### conn=881 op=1 binddn="uid=root,ou=users,o=xxx"
...........cached allow by aci(7)
.......
NSACLPlugin - #### conn=881 op=1 binddn="uid=root,ou=users,o=xxx"
..........cached context/parent allow
.......

As you can see in 1.2.5, where search returns faster, for first returned entry there is "cached allow by aci(7)" whereas for every next there's "cached context/parent allow". In 1.2.11 however there is "cached allow by aci(7)" for every returned entry. Is this difference of any significance? Am i missing some king of caching in 1.2.11?

2014-11-24 23:07 GMT+01:00 Rich Megginson <rmeggins@redhat.com>:
On 11/24/2014 08:19 AM, Bartek wrote:
Hello
I have an use case where particular search operations on the same data in 1.2.5 and 1.2.11 differ significantly.
1.2.5 is on Centos 5.9 and 1.2.11 on Centos 5.11. I'm asking this as i'm in the middle of upgrade process and I come across this performance issue.

After feeding both versions with data from the same text dump, particular search operation takes 0.5s in 1.2.5 to complete whereas in 1.2.11 it takes 6s:

ldapsearch -D 'uid=root,ou=users,o=xxx' -x -b 'uid=someuser,dc=domain,dc=pl,o=xxx' -s subtree -w pass '(objectClass=someObjectClass)'

There is a set of 40 acls at the dc=pl,o=xxx node and 9 more on dc=domain,dc=pl,o=xxx. The acl allowing 'uid=root,ou=users,o=xxx' to access everything is at o=xxx.

I did already manage to figure out that the more acis i remove the shorter the search operation is. However even with those aci in place, search on 1.2.5 returns significantly faster.

I would like to ask if there are any factors that would make search operations longer while jumping from 1.2.5 to 1.2.11?

Not that I know of.

You can rule out acis as the source of the performance issue by using -D "cn=directory manager" as the bind dn.

Use logconv.pl to analyze your access logs for common problems.


-- 
Regards
Bartek


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users