Send 389-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.fedoraproject.org/mailman/listinfo/389-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of 389-users digest..."
Today's Topics:
1. Re: DS crashed /killed by OS (Mark Reynolds)
2. Re: Passwordless sudo - is it possible? (Todor Petkov)
3. Re: Passwordless sudo - is it possible? (Alan Willis)
4. Re: Passwordless sudo - is it possible? (Gordon Messmer)
----------------------------------------------------------------------
Message: 1
Date: Mon, 2 Nov 2015 09:52:27 -0500
From: Mark Reynolds <[email protected]>
To: [email protected], "General discussion list for the 389
Directory server project." <[email protected]>
Subject: Re: [389-users] DS crashed /killed by OS
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 11/01/2015 08:50 PM, William Brown wrote:
On Thu, 2015-10-22 at 17:48 +0000, Fong, Trevor wrote:
Hi German,
Thanks for your suggestion. I’m happy to confirm that setting
userRoot’s nsslapd-cachememsize: 429496730 (1/15th of previous value
of 6 GB) has addressed the memory issue for now, and % Mem for the ns
-slapd process seems to be at a manageable level.
Thanks very much,
Trev
As I understand it, the fragmentation is due to the use of fastbins.
see man mallopt M_MXFAST for an explination.
You may be able to reduce fragmentation with the setting nsslapd-malloc
-mxfast, but you may see a (potentially severe) degredation in
performance. As I understand the value is by default 64 on a 32 bit
system, and 128 on a 64bit one, so perhaps try reducing it by half and
see if that helps.
I'm not sure if this is a supported option either so you may not wish
to enable it. You should always try changes like this on a non
-production system first.
Well we have not seen any significant improvement modifying the fast
bins(M_MXFAST). So while it can slightly reduce fragmentation,
unfortunately it's not really a solution. Now using a different memory
allocator, like jemalloc, has shown significant improvements in memory
size/fragmentation. Checkout:
http://www.port389.org/docs/389ds/FAQ/jemalloc-testing.html
The only issue is that jemalloc is not available on all platforms
yet(especially older versions of RHEL/fedora).
Mark
Alternatelly, you can set the cachemem to autosize with nsslapd-cache
-autosize=50 or something like that. This way the cache will use only
50% of the free ram on the system. I believe this value is determined
at server start up, rather than being constantly adjusted through the
lifetime of the process.
Remember, that with the caching, there is some good material in the
tuning guide which may help you understand the correct values you
should set for your cache sizes based on the number of entries you
have.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/
10/html/Performance_Tuning_Guide/index.html
As Germane said, there is work to reduce the impace of memory
fragmentation on process memory size, so these are hopefully temporary
solutions.
-
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.fedoraproject.org/pipermail/389-users/attachments/20151102/3ce9cccc/attachment-0001.html>
------------------------------
Message: 2
Date: Mon, 02 Nov 2015 17:02:47 +0200
From: Todor Petkov <[email protected]>
To: [email protected], "General discussion list for the 389
Directory server project." <[email protected]>
Subject: Re: [389-users] Passwordless sudo - is it possible?
Message-ID: <[email protected]>
Content-Type: text/plain; charset=US-ASCII; format=flowed
On 02/11/2015 10:20 AM, Todor Petkov wrote:
Hello,
my bad, I meant that I have added the line in sudoers, but it was not
working.
However, I have added the user as "uniquemember" of the group, not
just "gidNumber" and it's OK now.
Thanks.
Hi,
small update:
when the group is with NOPASSWD:ALL, it's not working.
If the user has specific record, it's OK.
I can change the sudoers record with pssh, but if someone can give a
hint how to make the group record working, I will appreciate it.
Regards,
------------------------------
Message: 3
Date: Mon, 2 Nov 2015 07:54:33 -0800
From: Alan Willis <[email protected]>
To: "General discussion list for the 389 Directory server project."
<[email protected]>
Cc: [email protected]
Subject: Re: [389-users] Passwordless sudo - is it possible?
Message-ID:
<CAAw=1wPi5f98WQbWb5sx0VV4QypycqcAX-zZ_gckDxmoc=s...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
To get NOPASSWD behavior when using ldap to distribute your sudo records,
you need to add a sudo options attribute to the sudo rule in ldap to negate
the default authentication requirement.
From http://www.sudo.ws/man/1.8.13/sudoers.man.html
authenticate:
If set, users must authenticate themselves via a password (or other means
of authentication) before they may run commands. This default may be
overridden via the PASSWD and NOPASSWD tags. This flag is on by default.
To negate it, place a '!' in front of it as the value to a sudo options
attribute in ldap.
On Mon, Nov 2, 2015 at 7:02 AM, Todor Petkov <[email protected]> wrote:
On 02/11/2015 10:20 AM, Todor Petkov wrote:
Hello,
my bad, I meant that I have added the line in sudoers, but it was not
working.
However, I have added the user as "uniquemember" of the group, not
just "gidNumber" and it's OK now.
Thanks.
Hi,
small update:
when the group is with NOPASSWD:ALL, it's not working.
If the user has specific record, it's OK.
I can change the sudoers record with pssh, but if someone can give a hint
how to make the group record working, I will appreciate it.
Regards,
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
