[Freeipa-users] Fwd: Fwd: Fwd: Scorched earth
Morning update. I made the change Rob suggested to /etc/ipa/default.conf, which appeared to work, but didn't quite. It asked me to back out the whole server installation and start over: [ipamaster2]# ipa-ca-install --skip-conncheck replica-info-ipamaster2.foo.net.gpg Directory Manager (existing master) password: COnfiguring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpVC28HP' returned non-zero exit status 1 Your system may be partly configured. Run/usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed. [ipamaster2]# Which uninstallation cleanup I did. Now, when trying to re-install the replica file: [ipamaster2]# ipa-replica-install --setup-dns --no-forwarders --setup-ca /var/lib/ipa/replica-info-ipamaster2.foo.net.gpg Directory manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipamaster.foo.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (686): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The followign list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@foo.net password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'ipamaster2.foo.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (686): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK The host ipamaster2.foo.net already exists on the master server. You should remove it before proceeding: % ipa host-del ipamaster2.foo.net ipa : ERRORCould not resolve hostname ipamaster.foo.net using DNS Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: *yes* [ipamaster2]# host ipamaster.foo.net ipamaster.foo.net has address 1.2.3.4 No matter what answer I give to the Continue? prompt, it just exits. nslookup returns the same value, and I have three different nameservers configured for this host (including ipamaster and two of the older replicas). And this message is the one that has prompted me to want to delete hosts before installing in the past, Simo. Any thoughts on how best to proceed now? *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Thu, Aug 29, 2013 at 2:59 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: Okay, I got the cacert.p12 (turns out it was taking my passphrase, but the messages looked like errors to my addled eyes). This system is on a different network, so getting the file transferred would take me about 24 hours. Is there something I can get that'll tell you what you need but is plaintext? Ok, that's fine. Try this. Set ra_plugin to dogtag in /etc/ipa/default.conf. This will let it get past the error and it should install a CA. I'm trying to think worst case scenario what it might do and I'm not coming up with anything. I think the worst that happens is that adding a CA fails later. rob I tried this and hope this subset of information is helpful: # openssl pkcs12 -in cacert.p12 -out cacert.pem.bdw -cacerts -nokeys # cat cacert.pem.bdw Bag Attributes: No Attributes subject=/O=FOO.NET/CN=**Certificate http://FOO.NET/CN=Certificate http://FOO.NET/CN=Certificate** Authority/ issuer=/O=FOO.NET/CN=**Certificate http://FOO.NET/CN=Certificate http://FOO.NET/CN=Certificate** Authority -BEGIN CERTIFICATE- MIIDgzCCA... ...Iwk4r -END CERTIFICATE- # openssl pkcs12 -in cacert.p12 -out cert.pem.bdw -clcerts -nokeys # cat cert.pem.bdw Bag Attributes: localKeyID: 82 81 2D 6E 5C 13 43 9A 5F BB C8 4D F5 6B DE 6C A7 2E 53 88 friendlyName: caSigningCert cert-pki-ca subject=/O=FOO.NET/CN=**Certificate http://FOO.NET/CN=Certificate http://FOO.NET/CN=Certificate** Authority issuer=/O=FOO.NET/CN=**Certificate http://FOO.NET/CN=Certificate http://FOO.NET/CN=Certificate** Authority -BEGIN CERTIFICATE- MIIDgzCCA... ...Iwk4r -END CERTIFICATE- Bag Attributes: localKeyID: 88 BF DF 56 30 BB A9 47 12 D4 5F 7B AE 39 DC BF CF F5 92 22 friendlyName: ocspSigningCert cert-pki-ca subject=/O=FOO.NET/CN=OCSP
Re: [Freeipa-users] setting up a client on Debian squeeze
On Thu, Aug 29, 2013 at 10:04:43PM -0400, Rob Crittenden wrote: Michał Dwużnik wrote: Sorry for quick continuation... Certificate added to nss DB in /etc/pki certutil -A -d /etc/pki/ -n IPA CA -t CT,C,C -a -i pki/ca.crt sssd configured according to http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html How do I test now, before changing PAM options that the pieces fit together? Perhaps exercise nss with: % id admin % getent passwd admin % getent group admin You can substitute admin for any IPA user or group. And really you can skip the cert step if you want. Unless you have something that will use it we put a cert on the system as a convenience right now. There isn't currently anything using it by default. rob On the client, one piece of functionality where you need the cert are password migrations from LDAP to IPA. I don't think that's your case, though. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: Fwd: Fwd: Scorched earth
On 08/30/2013 10:23 AM, Bret Wortman wrote: Morning update. I made the change Rob suggested to /etc/ipa/default.conf, which appeared to work, but didn't quite. It asked me to back out the whole server installation and start over: [ipamaster2]# ipa-ca-install --skip-conncheck replica-info-ipamaster2.foo.net.gpg Directory Manager (existing master) password: COnfiguring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpVC28HP' returned non-zero exit status 1 Your system may be partly configured. Run/usr/sbin/ipa-server-install --uninstall to clean up. Can you look into /var/log/ipareplica-ca-install.log? It should have more information on what caused pkispawn to fail. Configuration of CA failed. [ipamaster2]# Which uninstallation cleanup I did. Now, when trying to re-install the replica file: [ipamaster2]# ipa-replica-install --setup-dns --no-forwarders --setup-ca /var/lib/ipa/replica-info-ipamaster2.foo.net.gpg Directory manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipamaster.foo.net http://ipamaster.foo.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (686): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The followign list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@foo.net mailto:ad...@foo.net password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'ipamaster2.foo.net http://ipamaster2.foo.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (686): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK The host ipamaster2.foo.net http://ipamaster2.foo.net already exists on the master server. You should remove it before proceeding: % ipa host-del ipamaster2.foo.net http://ipamaster2.foo.net ipa : ERRORCould not resolve hostname ipamaster.foo.net http://ipamaster.foo.net using DNS Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: *yes* [ipamaster2]# host ipamaster.foo.net http://ipamaster.foo.net ipamaster.foo.net http://ipamaster.foo.net has address 1.2.3.4 No matter what answer I give to the Continue? prompt, it just exits. nslookup returns the same value, and I have three different nameservers configured for this host (including ipamaster and two of the older replicas). The error that caused the installation to fail is that ipamaster2.foo.net already exists on the master server. The DNS warning and its Continue? prompt is unrelated, but the order of the output is very confusing. I've filed ticket 3889 for this. Anyway, to do this DNS resolution check you'd need to explicitly ask for the IPA server: $ dig @ipamaster.foo.net ipamaster2.foo.net And this message is the one that has prompted me to want to delete hosts before installing in the past, Simo. Any thoughts on how best to proceed now? I believe you do need to delete he host at this point, but I'd rather have Rob or Simo confirm. *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Thu, Aug 29, 2013 at 2:59 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Bret Wortman wrote: Okay, I got the cacert.p12 (turns out it was taking my passphrase, but the messages looked like errors to my addled eyes). This system is on a different network, so getting the file transferred would take me about 24 hours. Is there something I can get that'll tell you what you need but is plaintext? Ok, that's fine. Try this. Set ra_plugin to dogtag in /etc/ipa/default.conf. This will let it get past the error and it should install a CA. I'm trying to think worst case scenario what it might do and I'm not coming up with anything. I think the worst that happens is that adding a CA fails later. rob I tried this and hope this subset of information is helpful: # openssl pkcs12 -in cacert.p12 -out cacert.pem.bdw -cacerts -nokeys # cat cacert.pem.bdw Bag Attributes:
Re: [Freeipa-users] Fwd: Fwd: Fwd: Scorched earth
Bret Wortman wrote: Still odder ... I went ahead and tried to delete the agreement: [ipamaster]# ipa-replica-manage del ipamaster3.foo.net http://ipamaster3.foo.net --force 'ipamaster.foo.net http://ipamaster.foo.net' has no replication agreement for 'ipamaster3.foo.net http://ipamaster3.foo.net' [ipamaster]# Dug back into the script and realized upon further reading (and widening my read to more of the code) that found was being set True elsewhere -- where it was complaining about how ipamaster knew about ipamaster3 already. Fair enough. So I hopped on over there and removed it. Which worked. And now the script proceeds much better. Guess the third cup of coffee helped. CA configuration still failed, though, at the same place as before (though executed as part of ipa-replica-install --setup-ca this time): [2/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpnq_J4d' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed. /This/ time, I'm not going to run the --uninstall command until someone on the team tells me to do so Ok. What we'll need to see is the full /var/log/ipareplica-install.log and the CA debug log from /var/log/pki/pki-tomcat/ca/debug. The CA team sometimes wants the debug log from the master you're cloning from too. You can send these to me out of band if you'd like, the debug logs in particular tend to be humongous. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
Ok, I somehow assumed certs are very much needed for ldaps... In the meantime, I set up a debian wheezy machine to try the freeipa-client from debs. I managed to get working ipa-client (with a few quirks...- default nss database needed to be created) with packages from deb http://apt.numeezy.fr wheezy main deb-src http://apt.numeezy.fr wheezy main. So now I have a ready set of debian-like configs for wheezy, making it work with squeeze seems easier now (it comes with learning, too...) I must admit ipa-client debug option is lovely as a step-by-step guide for trying by hand : Going back to thinking whether to try getting ipa on squeeze or getting the legacy software working with squeeze... (some of the scientists seem to be the happiest if the system is totally unchanged for some 20 years...). Regards Michal PS:I do see hope for rooting out the last instance of NIS on the campus : ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
On Fri, Aug 30, 2013 at 03:54:54PM +0200, Michał Dwużnik wrote: Ok, I somehow assumed certs are very much needed for ldaps... Well, for most operations the SSSD uses GSSAPI authentication. Only when passwords are migrated, we do an LDAP bind with StartTLS. In the meantime, I set up a debian wheezy machine to try the freeipa-client from debs. I managed to get working ipa-client (with a few quirks...- default nss database needed to be created) with packages from deb http://apt.numeezy.fr wheezy main deb-src http://apt.numeezy.fr wheezy main. So now I have a ready set of debian-like configs for wheezy, making it work with squeeze seems easier now (it comes with learning, too...) I must admit ipa-client debug option is lovely as a step-by-step guide for trying by hand : Going back to thinking whether to try getting ipa on squeeze or getting the legacy software working with squeeze... (some of the scientists seem to be the happiest if the system is totally unchanged for some 20 years...). Regards Michal PS:I do see hope for rooting out the last instance of NIS on the campus : Terminate it with extreme prejudice :-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Load Problems?
Rob or anyone else, So while struggling along on this server I just grabbed the logs off it and ran that log program with the options you suggested. There are a lot of unindexed requests. These are the top issues I've removed the one username that showed up. So just to double check what I'm thinking. I need to create three indexes 1. objectclass pres 2. objecclass eq 3. uid pres Please let me know if I'm reading this correctly or if I'm way off? 7337(objectclass=inetorgperson) 4597(objectclass=*) 4560((objectclass=inetorgperson)(uid=senior.developer.login)) 307 (objectclass=krbticketpolicyaux) 292 (uid=*) Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax:703.678.2312 www.digitalreasoning.com On Aug 28, 2013, at 11:40 AM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: So this method of search logs is great, and it shows some indexes that would likely highly increase efficiency with my usage. So, are there instructions how to do that? or do you know off hand how to do that? I'd start with https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes Note that you'll want to create the same index on all hosts. This configuration is not replicated. You can see the ones we create in /usr/share/ipa/indices.ldif and /usr/share/ipa/updates/20-indices.update rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 4:45 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Wow, this is quite insightful, this is the output from that, it looks like there aren't many unindexed searches (319 doesn't seem like a lot to me at least). Do you have any suggestions from this output? There are a slew of options you can provide to logconv.pl. I typically use logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing search analysis. rob Start of Log:27/Aug/2013:02:36:08 End of Log: 27/Aug/2013:12:17:15 Processed Log Time: 9 Hours, 41 Minutes, 7 Seconds Restarts: 2 Total Connections:45224 SSL Connections: 44735 Peak Concurrent Connections: 76 Total Operations: 132568 Total Results:132737 Overall Performance: 100.0% Searches: 61318 (1.76/sec) (105.52/min) Modifications:277(0.01/sec) (0.48/min) Adds: 10 (0.00/sec) (0.02/min) Deletes: 12 (0.00/sec) (0.02/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:62143 (1.78/sec) (106.94/min) Proxied Auth Operations: 0 Persistent Searches: 3 Internal Operations: 0 Entry Operations: 0 Extended Operations: 8808 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 353 Entire Search Base Queries: 106 Unindexed Searches: 319 FDs Taken:45262 FDs Returned: 45210 Highest FD Taken: 139 Broken Pipes: 0 Connections Reset By Peer:0 Resource Unavailable: 0 Binds:62143 Unbinds: 44539 LDAP v2 Binds: 2 LDAP v3 Binds: 62141 SSL Client Binds:0 Failed SSL Client Binds: 0 SASL Binds: 1466 1458 GSSAPI 8 EXTERNAL Directory Manager Binds: 10 Anonymous Binds: 1476 Other Binds: 60657 Thanks, _ John Moyer Director, IT Operations On Aug 27, 2013, at 1:13 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Is there any way to see what fields are index'ed? $ ldapsearch -LLL -D 'cn=directory manager' -W -x -b 'cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config' Your best bet is to use the logconv.pl tool to examine your logs. rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax:
Re: [Freeipa-users] IPA Load Problems?
If objectclass eq is already indexed how are these on my top unindexed list? Wouldn't objectclass eq cover this (objectclass=inetorgperson)? and the third and fourth entry? I apologize if I'm way off as I am new to the intricacies of LDAP indexing. Thanks, _ John Moyer Director, IT Operations On Aug 30, 2013, at 3:41 PM, Rich Megginson rmegg...@redhat.com wrote: On 08/30/2013 01:31 PM, John Moyer wrote: Rob or anyone else, So while struggling along on this server I just grabbed the logs off it and ran that log program with the options you suggested. There are a lot of unindexed requests. These are the top issues I've removed the one username that showed up. So just to double check what I'm thinking. I need to create three indexes 1. objectclass pres No, do not create this one 2. objectclass eq This should already be indexed 3. uid pres I suppose the UI might be doing this search? Please let me know if I'm reading this correctly or if I'm way off? 7337(objectclass=inetorgperson) 4597(objectclass=*) 4560((objectclass=inetorgperson)(uid=senior.developer.login)) 307 (objectclass=krbticketpolicyaux) 292 (uid=*) Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 28, 2013, at 11:40 AM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: So this method of search logs is great, and it shows some indexes that would likely highly increase efficiency with my usage. So, are there instructions how to do that? or do you know off hand how to do that? I'd start with https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes Note that you'll want to create the same index on all hosts. This configuration is not replicated. You can see the ones we create in /usr/share/ipa/indices.ldif and /usr/share/ipa/updates/20-indices.update rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 4:45 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Wow, this is quite insightful, this is the output from that, it looks like there aren't many unindexed searches (319 doesn't seem like a lot to me at least). Do you have any suggestions from this output? There are a slew of options you can provide to logconv.pl. I typically use logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing search analysis. rob Start of Log:27/Aug/2013:02:36:08 End of Log: 27/Aug/2013:12:17:15 Processed Log Time: 9 Hours, 41 Minutes, 7 Seconds Restarts: 2 Total Connections:45224 SSL Connections: 44735 Peak Concurrent Connections: 76 Total Operations: 132568 Total Results:132737 Overall Performance: 100.0% Searches: 61318 (1.76/sec) (105.52/min) Modifications:277(0.01/sec) (0.48/min) Adds: 10 (0.00/sec) (0.02/min) Deletes: 12 (0.00/sec) (0.02/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:62143 (1.78/sec) (106.94/min) Proxied Auth Operations: 0 Persistent Searches: 3 Internal Operations: 0 Entry Operations: 0 Extended Operations: 8808 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 353 Entire Search Base Queries: 106 Unindexed Searches: 319 FDs Taken:45262 FDs Returned: 45210 Highest FD Taken: 139 Broken Pipes: 0 Connections Reset By Peer:0 Resource Unavailable: 0 Binds:62143 Unbinds: 44539 LDAP v2 Binds: 2 LDAP v3 Binds: 62141 SSL Client Binds:0 Failed SSL Client Binds: 0 SASL Binds: 1466 1458 GSSAPI 8 EXTERNAL Directory Manager Binds: 10 Anonymous Binds: 1476 Other Binds: 60657 Thanks, _ John Moyer
[Freeipa-users] FreeIPA on Debian
Hello, Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion. The question of When FreeIPA will be available on Debian? has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project. May be it is time to try again? Let us see why it yet has not happened? 1) Some components need to be ported to Debian especially Dogtag and a slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain. 2) The code needs to be changed in installer and potentially in other places as it might have had some Fedorizms blended in 3) Someone needs to own packages in Debian and maintain them, someone with good knowledge of the distro and time to take ownership of about 50 packages. Can we pull it off together this time? Say we plan for some Dogtag and IPA domain experts to work on the port during Nov 13 - Feb 14 and address 1) and 2). Would there be any interest to join forces with them? Would there be anyone to take on item 3) from the list above? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Load Problems?
On 08/30/2013 01:31 PM, John Moyer wrote: Rob or anyone else, So while struggling along on this server I just grabbed the logs off it and ran that log program with the options you suggested. There are a lot of unindexed requests. These are the top issues I've removed the one username that showed up. So just to double check what I'm thinking. I need to create three indexes 1. objectclass pres No, do not create this one 2. objectclass eq This should already be indexed 3. uid pres I suppose the UI might be doing this search? Please let me know if I'm reading this correctly or if I'm way off? 7337(objectclass=inetorgperson) 4597(objectclass=*) 4560 ((objectclass=inetorgperson)(uid=senior.developer.login)) 307 (objectclass=krbticketpolicyaux) 292 (uid=*) Thanks, _ John Moyer Director, IT Operations *Digital Reasoning Systems, Inc.* john.mo...@digitalreasoning.com mailto:john.mo...@digitalreasoning.com Office:703.678.2311 Mobile:240.460.0023 Fax:703.678.2312 www.digitalreasoning.com http://www.digitalreasoning.com/ On Aug 28, 2013, at 11:40 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: John Moyer wrote: So this method of search logs is great, and it shows some indexes that would likely highly increase efficiency with my usage. So, are there instructions how to do that? or do you know off hand how to do that? I'd start with https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes Note that you'll want to create the same index on all hosts. This configuration is not replicated. You can see the ones we create in /usr/share/ipa/indices.ldif and /usr/share/ipa/updates/20-indices.update rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com mailto:john.mo...@digitalreasoning.com Office:703.678.2311 Mobile:240.460.0023 Fax:703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 4:45 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Wow, this is quite insightful, this is the output from that, it looks like there aren't many unindexed searches (319 doesn't seem like a lot to me at least). Do you have any suggestions from this output? There are a slew of options you can provide to logconv.pl. I typically use logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing search analysis. rob Start of Log:27/Aug/2013:02:36:08 End of Log: 27/Aug/2013:12:17:15 Processed Log Time: 9 Hours, 41 Minutes, 7 Seconds Restarts: 2 Total Connections:45224 SSL Connections: 44735 Peak Concurrent Connections: 76 Total Operations: 132568 Total Results:132737 Overall Performance: 100.0% Searches: 61318 (1.76/sec) (105.52/min) Modifications:277(0.01/sec) (0.48/min) Adds: 10 (0.00/sec) (0.02/min) Deletes: 12 (0.00/sec) (0.02/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:62143 (1.78/sec) (106.94/min) Proxied Auth Operations: 0 Persistent Searches: 3 Internal Operations: 0 Entry Operations: 0 Extended Operations: 8808 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 353 Entire Search Base Queries: 106 Unindexed Searches: 319 FDs Taken:45262 FDs Returned: 45210 Highest FD Taken: 139 Broken Pipes: 0 Connections Reset By Peer:0 Resource Unavailable: 0 Binds:62143 Unbinds: 44539 LDAP v2 Binds: 2 LDAP v3 Binds: 62141 SSL Client Binds:0 Failed SSL Client Binds: 0 SASL Binds: 1466 1458 GSSAPI 8 EXTERNAL Directory Manager Binds: 10 Anonymous Binds: 1476 Other Binds: 60657 Thanks, _ John Moyer Director, IT Operations On Aug 27, 2013, at 1:13 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Is there any way to see what fields are index'ed? $ ldapsearch -LLL -D 'cn=directory manager' -W -x -b 'cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config' Your best bet is to use the logconv.pl tool to examine your logs. rob Thanks, _ John Moyer Director, IT Operations Digital
Re: [Freeipa-users] IPA Load Problems?
I'm sorry that was my top unique filter list not my unindexed list. Please disregard my last email. Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax:703.678.2312 www.digitalreasoning.com On Aug 30, 2013, at 3:47 PM, John Moyer john.mo...@digitalreasoning.com wrote: If objectclass eq is already indexed how are these on my top unindexed list? Wouldn't objectclass eq cover this (objectclass=inetorgperson)? and the third and fourth entry? I apologize if I'm way off as I am new to the intricacies of LDAP indexing. Thanks, _ John Moyer Director, IT Operations On Aug 30, 2013, at 3:41 PM, Rich Megginson rmegg...@redhat.com wrote: On 08/30/2013 01:31 PM, John Moyer wrote: Rob or anyone else, So while struggling along on this server I just grabbed the logs off it and ran that log program with the options you suggested. There are a lot of unindexed requests. These are the top issues I've removed the one username that showed up. So just to double check what I'm thinking. I need to create three indexes 1. objectclass pres No, do not create this one 2. objectclass eq This should already be indexed 3. uid pres I suppose the UI might be doing this search? Please let me know if I'm reading this correctly or if I'm way off? 7337(objectclass=inetorgperson) 4597(objectclass=*) 4560((objectclass=inetorgperson)(uid=senior.developer.login)) 307 (objectclass=krbticketpolicyaux) 292 (uid=*) Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 28, 2013, at 11:40 AM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: So this method of search logs is great, and it shows some indexes that would likely highly increase efficiency with my usage. So, are there instructions how to do that? or do you know off hand how to do that? I'd start with https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes Note that you'll want to create the same index on all hosts. This configuration is not replicated. You can see the ones we create in /usr/share/ipa/indices.ldif and /usr/share/ipa/updates/20-indices.update rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 4:45 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Wow, this is quite insightful, this is the output from that, it looks like there aren't many unindexed searches (319 doesn't seem like a lot to me at least). Do you have any suggestions from this output? There are a slew of options you can provide to logconv.pl. I typically use logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing search analysis. rob Start of Log:27/Aug/2013:02:36:08 End of Log: 27/Aug/2013:12:17:15 Processed Log Time: 9 Hours, 41 Minutes, 7 Seconds Restarts: 2 Total Connections:45224 SSL Connections: 44735 Peak Concurrent Connections: 76 Total Operations: 132568 Total Results:132737 Overall Performance: 100.0% Searches: 61318 (1.76/sec) (105.52/min) Modifications:277(0.01/sec) (0.48/min) Adds: 10 (0.00/sec) (0.02/min) Deletes: 12 (0.00/sec) (0.02/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:62143 (1.78/sec) (106.94/min) Proxied Auth Operations: 0 Persistent Searches: 3 Internal Operations: 0 Entry Operations: 0 Extended Operations: 8808 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 353 Entire Search Base Queries: 106 Unindexed Searches: 319 FDs Taken:45262 FDs Returned: 45210 Highest FD Taken: 139 Broken Pipes: 0 Connections Reset By Peer:0 Resource Unavailable: 0 Binds: