On Thu, Jul 12, 2018 at 10:54:55AM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On to, 12 heinä 2018, tolotos--- via FreeIPA-users wrote:
> Hi,
>
> we have done some additional testing and debugging.
>
> It seems there some problems with the extdom-extop plugin in the directory server.
>
> If we set ignore_group_members, the first request get a good response.
> (tested by: server: sssctl cache-remove -p -s -o ; sleep 1; stop-dirsrv ; sleep 1;
start-dirsrv / client: sssctl cache-remove -p -s -o ; sleep 1; sssctl user-checks
user(a)ad.domain)
>
> However, starting with the second requests the extdom-extop returns every request
with an err=32 Object Not Found.
>
> We already tried to increase ipaextdommaxnssbufsize and ipaextdommaxnsstimeout.
> (we increased error log level on dirsrv to be sure that the values are used: Maximal
nss buffer size set to [268435456]! / Maximal nss timeout (in ms) set to [100000]!)
>
> Someone some ideas where to look from here?
Setting ignore_group_members on IPA masters does not really allow extdom
plugin to work well.
Are you sure? I've seen quite a few users enabling this switch..
(Maybe you meant the compat tree which also publishes the group
members?)
>
> However, did you try to increase timeouts in sssd on IPA master? Extdom
> plugin calls out to SSSD on IPA master when any request comes to it via
> LDAP extended operation. So the plugin itself doesn't really do
> anything, sssd on IPA master does all the heavy lifting. Extdom plugin
> only translates an anwer given by SSSD.