Various system components need restricted access so using "cn=directory manager" is out of the question.
I set nsslapd-errorlog-level=128 (logs acl processing) to dig more into internals. Here's what I saw: 1.2.11 NSACLPlugin - #### conn=3 op=1 binddn="uid=root,ou=users,o=xxx" ............ cached allow by aci(7) ... NSACLPlugin - #### conn=3 op=1 binddn="uid=root,ou=users,o=xxx" .............cached allow by aci(7) ... 1.2.5 NSACLPlugin - #### conn=881 op=1 binddn="uid=root,ou=users,o=xxx" ...........cached allow by aci(7) ....... NSACLPlugin - #### conn=881 op=1 binddn="uid=root,ou=users,o=xxx" ..........cached context/parent allow ....... As you can see in 1.2.5, where search returns faster, for first returned entry there is "cached allow by aci(7)" whereas for every next there's "cached context/parent allow". In 1.2.11 however there is "cached allow by aci(7)" for every returned entry. Is this difference of any significance? Am i missing some king of caching in 1.2.11? 2014-11-24 23:07 GMT+01:00 Rich Megginson <[email protected]>: > On 11/24/2014 08:19 AM, Bartek wrote: > > Hello > I have an use case where particular search operations on the same data in > 1.2.5 and 1.2.11 differ significantly. > 1.2.5 is on Centos 5.9 and 1.2.11 on Centos 5.11. I'm asking this as i'm > in the middle of upgrade process and I come across this performance issue. > > After feeding both versions with data from the same text dump, > particular search operation takes 0.5s in 1.2.5 to complete whereas in > 1.2.11 it takes 6s: > > ldapsearch -D 'uid=root,ou=users,o=xxx' -x -b > 'uid=someuser,dc=domain,dc=pl,o=xxx' -s subtree -w pass > '(objectClass=someObjectClass)' > > There is a set of 40 acls at the dc=pl,o=xxx node and 9 more on > dc=domain,dc=pl,o=xxx. The acl allowing 'uid=root,ou=users,o=xxx' to access > everything is at o=xxx. > > I did already manage to figure out that the more acis i remove the > shorter the search operation is. However even with those aci in place, > search on 1.2.5 returns significantly faster. > > I would like to ask if there are any factors that would make search > operations longer while jumping from 1.2.5 to 1.2.11? > > > Not that I know of. > > You can rule out acis as the source of the performance issue by using -D > "cn=directory manager" as the bind dn. > > Use logconv.pl to analyze your access logs for common problems. > > > -- > Regards > Bartek > > > -- > 389 users mailing > [email protected]https://admin.fedoraproject.org/mailman/listinfo/389-users > > > > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users >
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
