Hi everyone.
Recently, I have noticed a significant increase in the load generated by the
automember-rebuild command, even when there are no changes to be made to the user's
group membership. This high load also propagates via replication and affects the entire
infrastructure (we have about 30 replicas).
As an example, I issued the following command:
ipa automember-rebuild --type=group --users=someuser
Despite the fact that the user 'someuser' already had all the required group
memberships, the automember-rebuild command generated a significant amount of load on the
system.
Problem user for example have 23 groups in total, 18 of them are the result of automember
rules. With automember we are roughly solving the problem of some identity service, that
has no support for ldap nested groups, therefore some users should be directly inserted as
group members via automember rule, insted of relying in nestines.
So, when a batch of users getting added I used bash script:
#!/bin/bash
TOTAL_USERS=$(ipa user-find --all --sizelimit=0 | grep 'User login:' | awk
'/User login:/ {print $3}' | wc -l)
COUNTER=1
for g in $(ipa user-find --all --sizelimit=0 | grep 'User login:' | awk '/User
login:/ {print $3}')
do
echo User $g
ipa automember-rebuild --type=group --users=$g
echo Number of entries processed $COUNTER/$TOTAL_USERS
let COUNTER++
done
To assign needed groups to a new users, if someone was left un-handled by the first line
support. But with time as a amout of groups and replicas grew I started to experience
problems I described above, even when no changes are were to be applied. So I came to a
conclusion that I lack understanding of what automember-rebuild actually does under the
hood. For what I only know it puts tasks under the "cn=automember rebuild
membership,cn=tasks,cn=config".
What would certainly helped is this feature
https://directory.fedoraproject.org/docs/389ds/design/log-operation-stats...
but it's not availiable for my version of 389ds (389-Directory/1.4.3.28,
ipa-server-4.9.10-6, CentOS8 container)
So questions are:
1) Can someone provide overview of what automember-rebuild does under the hood?
2) Does those changes affected by replication, even if no changes needs to be applied?
(i.e. users already in needed groups but command still being issued for every user)
3) Why is 389-ds being affected so much on 18 rules of membership? For what I see in the
monitoring tools I get heavy delays on the disk IO. Is it really to much or it should not
affect this much and I need to look for some system tuning (4 CPU 8GB RAM currently, ssd
disk).