Re: [389-users] DNA Plugin Causes 389-DS to Crash if Large Number of Candidates
Hi Rich, Thanks for your reply. Nsslapd-idlistscanlimit is set to the default of 4000. I’ll see if we can upgrade our install and see how that goes. In the meantime, any further suggestions would be most welcome. Thanks, Trev From: 389-users-boun...@lists.fedoraproject.orgmailto:389-users-boun...@lists.fedoraproject.org on behalf of Rich Megginson rmegg...@redhat.commailto:rmegg...@redhat.com Reply-To: 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Date: Thursday, July 16, 2015 at 5:19 PM To: 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: Re: [389-users] DNA Plugin Causes 389-DS to Crash if Large Number of Candidates On 07/16/2015 05:47 PM, Fong, Trevor wrote: Hi Guys, We’re running 389-ds 1.2.11.29-1.el6 Can you upgrade to a newer version? There have been several releases since then. and are experimenting with the DNA plugin. When trying to set an existing account’s uidNumber to the magic regen number of 9, we get the error message in the errors log: Allocation of a new value for range cn=uid numbers,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. And then DS becomes unresponsive. If the server is crashed: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes If the server is hung: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs Looking at the debug error logs, it seems that the number of candidates defined by the combination of dnaScope and dnaFilter is too large (1389387 ids) for the sort function? Looks like it. Is there a fix? Or is there some error in our setup? Looks like you are hitting the idlistscanlimit: [16/Jul/2015:15:31:06 -0700] - = index_read( employeeNumber + ) [16/Jul/2015:15:31:06 -0700] -indextype: pres indexmask: 0x3 [16/Jul/2015:15:31:06 -0700] - bulk fetch buffer nids=207 ... [16/Jul/2015:15:31:06 -0700] - bulk fetch buffer nids=4075 [16/Jul/2015:15:31:06 -0700] - idl_new_fetch + returns allids [16/Jul/2015:15:31:06 -0700] - = index_read 1389387 candidates ... [16/Jul/2015:15:31:06 -0700] - = index_read( objectClass = posixaccount ) [16/Jul/2015:15:31:06 -0700] -indextype: eq indexmask: 0x2 [16/Jul/2015:15:31:06 -0700] - bulk fetch buffer nids=207 ... [16/Jul/2015:15:31:06 -0700] - bulk fetch buffer nids=4075 [16/Jul/2015:15:31:06 -0700] - idl_new_fetch =posixaccount returns allids [16/Jul/2015:15:31:06 -0700] - = index_read 1389387 candidates [16/Jul/2015:15:31:06 -0700] -ival[0] = posixaccount = 1389387 IDs ... [16/Jul/2015:15:31:06 -0700] - Asked to sort ALLIDS candidate list, refusing [16/Jul/2015:15:31:06 -0700] - = send_ldap_result 12::Sort Response Control You might try raising the nsslapd-idlistscanlimit to be greater than 1389387 Thanks, Trev Our setup is thus: dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: extensibleObject objectClass: nsContainer objectClass: nsSlapdPlugin objectClass: top cn: Distributed Numeric Assignment Plugin nsslapd-pluginDescription: Distributed Numeric Assignment plugin nsslapd-pluginEnabled: on nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginInitfunc: dna_init nsslapd-pluginPath: libdna-plugin nsslapd-pluginType: bepreoperation nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.2.11.29 nsslapd-plugin-depends-on-type: database dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=co nfig objectClass: extensibleObject objectClass: top cn: UID numbers dnaFilter: ((employeeNumber=*)(objectclass=posixAccount)) dnaMagicRegen: 9 dnaNextValue: 1002 dnaScope: ou=PEOPLE,ou=IDM,dc=dev,dc=example,dc=com dnaType: uidNumber Error log: [16/Jul/2015:15:31:05 -0700] - add_pb [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x2907e68, handle=8 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x2907d30, handle=8 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout: - [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout: - [16/Jul/2015:15:31:05 -0700] - get_pb [16/Jul/2015:15:31:05 -0700] - -- pagedresults_in_use [16/Jul/2015:15:31:05 -0700] - -- pagedresults_in_use: 0 [16/Jul/2015:15:31:05 -0700] - do_modify [16/Jul/2015:15:31:05 -0700] - do_modify: dn (uid=myacct,ou=PEOPLE,ou=IDM,dc=dev,dc=example,dc=com) [16/Jul/2015:15:31:05 -0700] - = get_ldapmessage_controls [16/Jul/2015:15:31:05 -0700] - = get_ldapmessage_controls no controls [16
Re: [389-users] DNA Plugin Causes 389-DS to Crash if Large Number of Candidates
BTW, we were able to artificially make it work by changing the dnaFilter to the emplid of our test user: dnaFilter: ((employeeNumber=12345)(objectclass=posixAccount)) Trev From: Trevor Fong trevor.f...@ubc.camailto:trevor.f...@ubc.ca Date: Thursday, July 16, 2015 at 4:47 PM To: 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org Subject: DNA Plugin Causes 389-DS to Crash if Large Number of Candidates Hi Guys, We’re running 389-ds 1.2.11.29-1.el6 and are experimenting with the DNA plugin. When trying to set an existing account’s uidNumber to the magic regen number of 9, we get the error message in the errors log: Allocation of a new value for range cn=uid numbers,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. And then DS becomes unresponsive. Looking at the debug error logs, it seems that the number of candidates defined by the combination of dnaScope and dnaFilter is too large (1389387 ids) for the sort function? Is there a fix? Or is there some error in our setup? Thanks, Trev Our setup is thus: dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: extensibleObject objectClass: nsContainer objectClass: nsSlapdPlugin objectClass: top cn: Distributed Numeric Assignment Plugin nsslapd-pluginDescription: Distributed Numeric Assignment plugin nsslapd-pluginEnabled: on nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginInitfunc: dna_init nsslapd-pluginPath: libdna-plugin nsslapd-pluginType: bepreoperation nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.2.11.29 nsslapd-plugin-depends-on-type: database dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=co nfig objectClass: extensibleObject objectClass: top cn: UID numbers dnaFilter: ((employeeNumber=*)(objectclass=posixAccount)) dnaMagicRegen: 9 dnaNextValue: 1002 dnaScope: ou=PEOPLE,ou=IDM,dc=dev,dc=example,dc=com dnaType: uidNumber Error log: [16/Jul/2015:15:31:05 -0700] - add_pb [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x2907e68, handle=8 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x2907d30, handle=8 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout: - [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout: - [16/Jul/2015:15:31:05 -0700] - get_pb [16/Jul/2015:15:31:05 -0700] - -- pagedresults_in_use [16/Jul/2015:15:31:05 -0700] - -- pagedresults_in_use: 0 [16/Jul/2015:15:31:05 -0700] - do_modify [16/Jul/2015:15:31:05 -0700] - do_modify: dn (uid=myacct,ou=PEOPLE,ou=IDM,dc=dev,dc=example,dc=com) [16/Jul/2015:15:31:05 -0700] - = get_ldapmessage_controls [16/Jul/2015:15:31:05 -0700] - = get_ldapmessage_controls no controls [16/Jul/2015:15:31:05 -0700] - modifications: [16/Jul/2015:15:31:05 -0700] - replace: uidNumber [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.12) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.18) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - mapping tree selected backend : userRoot [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.12) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.18) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - mapping tree selected backend : userRoot [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x0, handle=6 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x0, handle=5 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - = compute_limits: sizelimit=-1, timelimit=-1 [16/Jul/2015:15:31:05 -0700] - Calling plugin 'Account Usability Plugin' #1 type 403 [16/Jul/2015:15:31:05 -0700] account-usability-plugin - -- auc_pre_search [16/Jul/2015:15:31:05 -0700] account-usability-plugin - -- auc_pre_op [16/Jul/2015:15:31:05 -0700] - Calling plugin 'ACL preoperation' #2 type 403 [16/Jul/2015:15:31:05 -0700] - Calling plugin 'deref' #4 type 403 [16/Jul/2015:15:31:05 -0700] deref-plugin - -- deref_pre_search
Re: [389-users] DNA Plugin Causes 389-DS to Crash if Large Number of Candidates
On 07/16/2015 05:47 PM, Fong, Trevor wrote: Hi Guys, We’re running 389-ds 1.2.11.29-1.el6 Can you upgrade to a newer version? There have been several releases since then. and are experimenting with the DNA plugin. When trying to set an existing account’s uidNumber to the magic regen number of 9, we get the error message in the errors log: Allocation of a new value for range cn=uid numbers,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. And then DS becomes unresponsive. If the server is crashed: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes If the server is hung: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs Looking at the debug error logs, it seems that the number of candidates defined by the combination of dnaScope and dnaFilter is too large (1389387 ids) for the sort function? Looks like it. Is there a fix? Or is there some error in our setup? Looks like you are hitting the idlistscanlimit: [16/Jul/2015:15:31:06 -0700] - = index_read( employeeNumber + ) [16/Jul/2015:15:31:06 -0700] -indextype: pres indexmask: 0x3 [16/Jul/2015:15:31:06 -0700] - bulk fetch buffer nids=207 ... [16/Jul/2015:15:31:06 -0700] - bulk fetch buffer nids=4075 [16/Jul/2015:15:31:06 -0700] - idl_new_fetch + returns allids [16/Jul/2015:15:31:06 -0700] - = index_read 1389387 candidates ... [16/Jul/2015:15:31:06 -0700] - = index_read( objectClass = posixaccount ) [16/Jul/2015:15:31:06 -0700] -indextype: eq indexmask: 0x2 [16/Jul/2015:15:31:06 -0700] - bulk fetch buffer nids=207 ... [16/Jul/2015:15:31:06 -0700] - bulk fetch buffer nids=4075 [16/Jul/2015:15:31:06 -0700] - idl_new_fetch =posixaccount returns allids [16/Jul/2015:15:31:06 -0700] - = index_read 1389387 candidates [16/Jul/2015:15:31:06 -0700] -ival[0] = posixaccount = 1389387 IDs ... [16/Jul/2015:15:31:06 -0700] - Asked to sort ALLIDS candidate list, refusing [16/Jul/2015:15:31:06 -0700] - = send_ldap_result 12::Sort Response Control You might try raising the nsslapd-idlistscanlimit to be greater than 1389387 Thanks, Trev Our setup is thus: dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: extensibleObject objectClass: nsContainer objectClass: nsSlapdPlugin objectClass: top cn: Distributed Numeric Assignment Plugin nsslapd-pluginDescription: Distributed Numeric Assignment plugin nsslapd-pluginEnabled: on nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginInitfunc: dna_init nsslapd-pluginPath: libdna-plugin nsslapd-pluginType: bepreoperation nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.2.11.29 nsslapd-plugin-depends-on-type: database dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=co nfig objectClass: extensibleObject objectClass: top cn: UID numbers dnaFilter: ((employeeNumber=*)(objectclass=posixAccount)) dnaMagicRegen: 9 dnaNextValue: 1002 dnaScope: ou=PEOPLE,ou=IDM,dc=dev,dc=example,dc=com dnaType: uidNumber Error log: [16/Jul/2015:15:31:05 -0700] - add_pb [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x2907e68, handle=8 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x2907d30, handle=8 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout: - [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout: - [16/Jul/2015:15:31:05 -0700] - get_pb [16/Jul/2015:15:31:05 -0700] - -- pagedresults_in_use [16/Jul/2015:15:31:05 -0700] - -- pagedresults_in_use: 0 [16/Jul/2015:15:31:05 -0700] - do_modify [16/Jul/2015:15:31:05 -0700] - do_modify: dn (uid=myacct,ou=PEOPLE,ou=IDM,dc=dev,dc=example,dc=com) [16/Jul/2015:15:31:05 -0700] - = get_ldapmessage_controls [16/Jul/2015:15:31:05 -0700] - = get_ldapmessage_controls no controls [16/Jul/2015:15:31:05 -0700] - modifications: [16/Jul/2015:15:31:05 -0700] - replace: uidNumber [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.12) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.18) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - mapping tree selected backend : userRoot [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.12) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.18) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0
[389-users] DNA Plugin Causes 389-DS to Crash if Large Number of Candidates
Hi Guys, We’re running 389-ds 1.2.11.29-1.el6 and are experimenting with the DNA plugin. When trying to set an existing account’s uidNumber to the magic regen number of 9, we get the error message in the errors log: Allocation of a new value for range cn=uid numbers,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. And then DS becomes unresponsive. Looking at the debug error logs, it seems that the number of candidates defined by the combination of dnaScope and dnaFilter is too large (1389387 ids) for the sort function? Is there a fix? Or is there some error in our setup? Thanks, Trev Our setup is thus: dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: extensibleObject objectClass: nsContainer objectClass: nsSlapdPlugin objectClass: top cn: Distributed Numeric Assignment Plugin nsslapd-pluginDescription: Distributed Numeric Assignment plugin nsslapd-pluginEnabled: on nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginInitfunc: dna_init nsslapd-pluginPath: libdna-plugin nsslapd-pluginType: bepreoperation nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.2.11.29 nsslapd-plugin-depends-on-type: database dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=co nfig objectClass: extensibleObject objectClass: top cn: UID numbers dnaFilter: ((employeeNumber=*)(objectclass=posixAccount)) dnaMagicRegen: 9 dnaNextValue: 1002 dnaScope: ou=PEOPLE,ou=IDM,dc=dev,dc=example,dc=com dnaType: uidNumber Error log: [16/Jul/2015:15:31:05 -0700] - add_pb [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x2907e68, handle=8 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x2907d30, handle=8 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout: - [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout [16/Jul/2015:15:31:05 -0700] - -- pagedresults_is_timedout: - [16/Jul/2015:15:31:05 -0700] - get_pb [16/Jul/2015:15:31:05 -0700] - -- pagedresults_in_use [16/Jul/2015:15:31:05 -0700] - -- pagedresults_in_use: 0 [16/Jul/2015:15:31:05 -0700] - do_modify [16/Jul/2015:15:31:05 -0700] - do_modify: dn (uid=myacct,ou=PEOPLE,ou=IDM,dc=dev,dc=example,dc=com) [16/Jul/2015:15:31:05 -0700] - = get_ldapmessage_controls [16/Jul/2015:15:31:05 -0700] - = get_ldapmessage_controls no controls [16/Jul/2015:15:31:05 -0700] - modifications: [16/Jul/2015:15:31:05 -0700] - replace: uidNumber [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.12) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.18) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - mapping tree selected backend : userRoot [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.12) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present (looking for 2.16.840.1.113730.3.4.18) [16/Jul/2015:15:31:05 -0700] - = slapi_control_present 0 (NO CONTROLS) [16/Jul/2015:15:31:05 -0700] - mapping tree selected backend : userRoot [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x0, handle=6 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x0, handle=5 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - = compute_limits: sizelimit=-1, timelimit=-1 [16/Jul/2015:15:31:05 -0700] - Calling plugin 'Account Usability Plugin' #1 type 403 [16/Jul/2015:15:31:05 -0700] account-usability-plugin - -- auc_pre_search [16/Jul/2015:15:31:05 -0700] account-usability-plugin - -- auc_pre_op [16/Jul/2015:15:31:05 -0700] - Calling plugin 'ACL preoperation' #2 type 403 [16/Jul/2015:15:31:05 -0700] - Calling plugin 'deref' #4 type 403 [16/Jul/2015:15:31:05 -0700] deref-plugin - -- deref_pre_search [16/Jul/2015:15:31:05 -0700] deref-plugin - -- deref_pre_op [16/Jul/2015:15:31:05 -0700] - Calling plugin 'Legacy replication preoperation plugin' #6 type 403 [16/Jul/2015:15:31:05 -0700] - Calling plugin 'Multimaster replication preoperation plugin' #9 type 403 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() conn=0x0, handle=0 [16/Jul/2015:15:31:05 -0700] - = slapi_reslimit_get_integer_limit() returning NO VALUE [16/Jul/2015:15:31:05 -0700] - = find_entry_internal