> > We have a number of linux hosts authenticating to ldap. Some of them using SSSD had "enumerate=true", Yeah, you need to disable enumerate=true, because SSSD will do paged searches and that will get around some search limits that normally would block that. As well, you probably should look at turning on "ignore_group_members=true", because if you don't have that set, then SSSD will enumerate your whole directory too. > which means they run a search for everything every five minutes. Just one of those will tie up the host. The search is: > filter="(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(uaNetgroupLinuxGid=*))" > only uaNetgroupLinuxGID is unindexed. Again, this causes no problem on our existing setup. > ... > > Thread 49 (Thread 0x7fce91cb8700 (LWP 2176)): > #0 0x00007fcf0b3929ff in comp_cmp (s1p=<optimized out>, s2p=s2p@entry=0x55955e6fa140 "uaUDCid") at ldap/servers/slapd/attr.c:88 > #1 0x00007fcf0b392bc9 in slapi_attr_type_cmp (a1=a1@entry=0x55945a2b7b90 "uaee121Shell", a2=0x55955e6fa140 "uaUDCid", opt=opt@entry=2) at ldap/servers/slapd/attr.c:122 > #2 0x00007fcf0b3944ff in attrlist_find_ex (a=<optimized out>, type=type@entry=0x55945a2b7b90 "uaee121Shell", type_name_disposition=type_name_disposition@entry=0x0, actual_type_name=actual_type_name@entry=0x0, hint=hint@entry=0x7fce91cb2488) at ldap/servers/slapd/attrlist.c:176 > #3 0x00007fcf0b3b7211 in test_presence_filter (pb=pb@entry=0x0, e=e@entry=0x55955e6ee300, type=0x55945a2b7b90 "uaee121Shell", verify_access=verify_access@entry=0, only_check_access=only_check_access@entry=0, access_check_done=access_check_done@entry=0x7fce91cb25c0) at ldap/servers/slapd/filterentry.c:355 > #4 0x00007fcf0b42997e in vattr_test_filter (pb=pb@entry=0x0, e=e@entry=0x55955e6ee300, f=f@entry=0x55947509ab80, filter_type=FILTER_TYPE_PRES, type=<optimized out>) at ldap/servers/slapd/vattr.c:753 > #5 0x00007fcf0b3b6ec4 in slapi_vattr_filter_test_ext_internal (pb=pb@entry=0x0, e=0x55955e6ee300, f=0x55947509ab80, verify_access=verify_access@entry=0, only_check_access=only_check_access@entry=0, access_check_done=access_check_done@entry=0x7fce91cb2684) at ldap/servers/slapd/filterentry.c:823 > #6 0x00007fcf0b3b7ba6 in slapi_vattr_filter_test_ext (pb=pb@entry=0x0, e=<optimized out>, f=<optimized out>, verify_access=verify_access@entry=0, only_check_access=only_check_access@entry=0) at ldap/servers/slapd/filterentry.c:771 > #7 0x00007fcf0b3b7bf8 in slapi_vattr_filter_test (pb=pb@entry=0x0, e=<optimized out>, f=<optimized out>, verify_access=verify_access@entry=0) at ldap/servers/slapd/filterentry.c:715 > #8 0x00007fcf01599e02 in acl__resource_match_aci (aclpb=aclpb@entry=0x559474f16000, aci=aci@entry=0x55947509a880, skip_attrEval=skip_attrEval@entry=0, a_matched=a_matched@entry=0x7fce91cb2bd0) at ldap/servers/plugins/acl/acl.c:2422 > #9 0x00007fcf0159b280 in acl__scan_for_acis (err=<synthetic pointer>, aclpb=0x559474f16000) at ldap/servers/plugins/acl/acl.c:1974 > #10 0x00007fcf0159b280 in acl_access_allowed (pb=<optimized out>, e=e@entry=0x55955e6ee300, attr=attr@entry=0x5595925e2ea0 "uid", val=<optimized out>, access=access@entry=2) at ldap/servers/plugins/acl/acl.c:568 > #11 0x00007fcf015ae9f7 in acl_access_allowed_main (pb=<optimized out>, e=0x55955e6ee300, attrs=<optimized out>, val=<optimized out>, access=2, flags=<optimized out>, errbuf=0x0) at ldap/servers/plugins/acl/aclplugin.c:371 > #12 0x00007fcf0b3f0cbc in plugin_call_acl_plugin (pb=pb@entry=0x559475874000, e=e@entry=0x55955e6ee300, attrs=attrs@entry=0x7fce91cb2d10, val=val@entry=0x0, access=access@entry=2, flags=flags@entry=0, errbuf=errbuf@entry=0x0) at ldap/servers/slapd/plugin_acl.c:62 > #13 0x00007fcf0b3b638d in test_filter_access (pb=pb@entry=0x559475874000, e=e@entry=0x55955e6ee300, attr_type=<optimized out>, attr_val=attr_val@entry=0x0) at ldap/servers/slapd/filterentry.c:956 > #14 0x00007fcf0b3b7082 in slapi_vattr_filter_test_ext_internal (pb=pb@entry=0x559475874000, e=e@entry=0x55955e6ee300, f=f@entry=0x559475f39000, verify_access=verify_access@entry=1, only_check_access=only_check_access@entry=0, access_check_done=access_check_done@entry=0x7fce91cb2de4) at ldap/servers/slapd/filterentry.c:855 > #15 0x00007fcf0b3b6d31 in vattr_test_filter_list_and (ftype=160, access_check_done=0x7fce91cb2de4, only_check_access=0, verify_access=1, flist=<optimized out>, e=0x55955e6ee300, pb=0x559475874000) at ldap/servers/slapd/filterentry.c:980 > #16 0x00007fcf0b3b6d31 in slapi_vattr_filter_test_ext_internal (pb=pb@entry=0x559475874000, e=0x55955e6ee300, f=<optimized out>, verify_access=verify_access@entry=1, only_check_access=only_check_access@entry=0, access_check_done=access_check_done@entry=0x7fce91cb2de4) at ldap/servers/slapd/filterentry.c:885 > #17 0x00007fcf0b3b7ba6 in slapi_vattr_filter_test_ext (pb=pb@entry=0x559475874000, e=<optimized out>, f=<optimized out>, verify_access=verify_access@entry=1, only_check_access=only_check_access@entry=0) at ldap/servers/slapd/filterentry.c:771 > #18 0x00007fcf0b3b7bf8 in slapi_vattr_filter_test (pb=pb@entry=0x559475874000, e=<optimized out>, f=<optimized out>, verify_access=verify_access@entry=1) at ldap/servers/slapd/filterentry.c:715 > #19 0x00007fcf002c0df1 in ldbm_back_next_search_entry_ext (pb=0x559475874000, use_extension=0) at ldap/servers/slapd/back-ldbm/ldbm_search.c:1702 > #20 0x00007fcf0b3deca6 in iterate (send_result=1, be=0x559459ae7c70, pr_statp=0x7fce91cb30a4, pagesize=<optimized out>, pnentries=0x7fce91cb3138, pb=0x559475874000) at ldap/servers/slapd/opshared.c:1292 > #21 0x00007fcf0b3deca6 in send_results_ext (pb=pb@entry=0x559475874000, nentries=nentries@entry=0x7fce91cb3138, pagesize=1000, pr_stat=pr_stat@entry=0x7fce91cb30a4, send_result=1) at ldap/servers/slapd/opshared.c:1645 > #22 0x00007fcf0b3e0474 in op_shared_search (pb=pb@entry=0x559475874000, send_result=send_result@entry=1) at ldap/servers/slapd/opshared.c:683 > #23 0x000055945722cc0e in do_search (pb=pb@entry=0x559475874000) at ldap/servers/slapd/search.c:352 > #24 0x000055945721a98a in connection_dispatch_operation (pb=0x559475874000, op=0x559592580b40, conn=0x559475186510) at ldap/servers/slapd/connection.c:651 > #25 0x000055945721a98a in connection_threadmain () at ldap/servers/slapd/connection.c:1793 > #26 0x00007fcf091a0c5b in _pt_root (arg=0x559459ba5200) at ../../../nspr/pr/src/pthreads/ptthread.c:201 > #27 0x00007fcf08b40ea5 in start_thread (arg=0x7fce91cb8700) at pthread_create.c:307 > #28 0x00007fcf081ec8dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 Yep, it's holding the backend lock while applying the filter test. In a condition like: "(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(uaNetgroupLinuxGid=*))" You really need everything indexed because here, this really is going to have to enumerate *everything* that is an objectClass posix account, and then apply the filtertest. So you should index uaNetgroupLinuxGid, then the test can be asserted in indexes only which is significantly faster. I recommend a presence and equality index to be safe. If you look at the access log and there is any "notes=A", "notes=F", or "notes=U", you should probably check those queries and ensure that all the elements of that filter are indexed, and that all the elements of that filter are present in schema. Hope that helps, — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
