Terry, did you ever get to the bottom of this? I appear to be having a
similar issue with the same version of IPA.
On Wed, Sep 4, 2013 at 1:18 PM, Terry Soucy <tso...@salesforce.com> wrote:
> I am experiencing some long execution times, and I'm wondering if anyone
> can give me some insight.
> We are running FreeIPA 3.0.0-26 on Redhat 6.1. We have multimaster
> replication running among 4 hosts. We have approv 100 users, 25 usergroups
> and hostgroups, and approx 2000 hosts in a single domain. We noticed that
> some DNS queries were timing out periodically. When I investigated further,
> I found several of the DNS requests in the access log
> [04/Sep/2013:13:42:24 -0300] conn=122491 op=3888679 SRCH
> scope=0 filter="
> (objectClass=idnsRecord)" attrs=ALL
> [04/Sep/2013:13:42:44 -0300] conn=122491 op=3888679 RESULT err=32 tag=101
> es=0 etime=20
> There are a lot of those, as expected, since we first noticed this issue
> with DNS.
> Then I found this ...
> [04/Sep/2013:13:42:23 -0300] conn=368561 op=9 EXT
> oid="2.16.840.1.1137184.108.40.206" name="Netscape Replication End Session"
> [04/Sep/2013:13:42:44 -0300] conn=368561 op=9 RESULT err=0 tag=120
> nentries=0 etime=22
> and lots of this ...
> [04/Sep/2013:13:42:26 -0300] conn=368604 op=0 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [04/Sep/2013:13:42:44 -0300] conn=368604 op=0 RESULT err=14 tag=97
> nentries=0 etime=18, SASL bind in progress
> So, is my SASL bind causing the replication to go long, or is the
> replication taking a long time and causing the hang? Is there a way I can
> see the details of the replication? There is not a lot of changes going on
> that require replication with regards to dns, users, hosts, etc, so I'm not
> sure why it would take so long. Also, can I remove the SASL bind and just
> add a replication user to the dse.ldif to remove the requirement for
> kerberos for replication?
> Terry Soucy - Systems Engineer
> Salesforce MarketingCloud - http://www.salesforce.com
> (o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com
> Freeipa-users mailing list
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
Freeipa-users mailing list