This is a multi-part message in MIME format. --------------040100030100010805040809 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
Here is a sanitized copy of my slapd.conf. I'm still working on the logs and gdb backtrace. Let me know if you notice anything out of sorts. Thanks! Mark [email protected] wrote: >> Matthew and Hallvard, >> >> Matthew Backes wrote: >>> Large collections of values can be slow for some uses; have you looked >>> at the sortvals option? (needs a db reload with slapcat+slapadd) >> Thanks for your suggestion to add the sortvals option. I've done so and >> still experience the hangs. >> >>>> memberUid: t2479 >>> That doesn't seem terribly large, no. sortvals is more pertinent if you >>> have 100k+ values on the attribute... >> Exactly what I was thinking. This doesn't seem like a really large >> number, but it's consistently hanging for us. > > A consistent hang calls for some deadlock. Your configuration might be > tweaking some strange interoperation of functionalities that result in the > deadlock. So, rather than the logs, the configuration would be of > paramount interest. We are obviously looking for details, so don't omit > anything; rather sanitize sensitive information, like passwords. I'm > specifically thinking about some strange interoperation between databases, > overlays, ACLs and so. > > p. > --------------040100030100010805040809 Content-Type: text/plain; name="slapd.conf" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="slapd.conf" # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/krb5-kdc.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/automount.schema include /etc/ldap/schema/samba.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.master.pid # List of arguments that were passed to the server argsfile /var/run/slapd.master.args # Read slapd.conf(5) for possible values loglevel stats sync # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov moduleload ppolicy ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=cs,dc=brown,dc=edu" # number of entries to keep in cache cachesize 10000 # time between database checkpoints checkpoint 128 15 # Where the database file are physically stored for database #1 directory "/sysvol/ldap/db" # Indexing options for database #1 index default eq index cn,sn,givenName index uid,uidNumber,gidNumber,memberNisNetGroup index automountKey,automountMapName,memberUid,uniqueMember,homeDirectory index contextCSN,entryCSN,entryUUID,objectClass index mail eq,sub # multi-valued attributes that should always be maintained in sorted order sortvals memberUid sortvals nisNetgroupTriple # Max number of anonymous sessions conn_max_pending 1000 # Save the time that the entry gets modified, for database #1 lastmod on overlay syncprov syncprov-checkpoint 100 5 syncprov-sessionlog 100 ###################################################################### # CS dept config ###################################################################### # TLS Config TLSCertificateFile /sysvol/ldap/config/ldapmaster-cert.pem TLSCertificateKeyFile /sysvol/ldap/config/ldapmaster-key.pem TLSCACertificateFile /usr/share/ca-certificates/cs.brown.edu/cs.brown.edu.crt TLSVerifyClient allow # CS dept SASL config sasl-realm cs.brown.edu sasl-host ldapmaster.cs.brown.edu # This is a bit of a hack to restrict the SASL mechanisms that the server # advertises to just GSSAPI. Otherwise it also advertises DIGEST-MD5, # which the clients prefer. Then you have to add "-Y GSAPPI" to all of # your ldapsearch/ldapmodify command lines, which is annoying. The default # for this is noanonymous,noplain so the addition of noactive is what makes # DIGEST-MD5 and others go away. sasl-secprops noanonymous,noplain,noactive # Map SASL authentication DNs to LDAP DNs. This leaves <username>/root # principals untouched saslRegexp uid=([^/]*),cn=cs.brown.edu,cn=GSSAPI,cn=auth uid=$1,ou=people,dc=cs,dc=brown,dc=edu # This should be a ^ plus, not a star, but slapd won't accept it # Access controls access to * attrs=userPassword by ssf=128 anonymous auth by ssf=128 dn.regex="uid=.*/root,cn=cs.brown.edu,cn=GSSAPI,cn=auth" write by ssf=128 dn="cn=sync,dc=cs,dc=brown,dc=edu" write by ssf=128 self write by * none # The */root dn has full write access, everyone else can read everything. access to * by ssf=128 dn.regex="uid=.*/root,cn=cs.brown.edu,cn=GSSAPI,cn=auth" write by ssf=128 dn="uid=.*,ou=people,dc=cs,dc=brown,dc=edu,cn=GSSAPI,cn=auth" read by * read # Specify default password policies overlay ppolicy ppolicy_default "cn=password,ou=policies,dc=cs,dc=brown,dc=edu" password-hash {SSHA} sizelimit unlimited timelimit unlimited --------------040100030100010805040809--
