The problem was originally described here: http://lists.fedoraproject.org/pipermail/389-devel/2009-March/001020.html
Shorter description: we noticed that some queries (ldapsearch) to our directory caused a drop in performance, and our log file was filled with the following message:
acl_TestRights - cache overflown
We also noticed that increasing the value ACLPB_MAX_SELECTED_ACLS from 200 to 2000 solved the problem for us. A more permanent solution could be to make this value configurable.
We have made a patch that seems to solve the problem, as far as we have tested. I will upload it as soon as it is ready for review.
62e93bc..0070a45 master -> master
Author: nturpin email@example.com
Date: Tue Dec 27 21:31:53 2011 +0100
Ticket #3: acl cache overflown problem
Fix Description: We have made ACLPB_MAX_SELECTED_ACLS and ACLPB_MAX_CACHE_RE
Their default value is still 200 (same as before). To modify this value,
you can add or
modify the attribute "nsslapd-aclpb-max-selected-acls" in the ACL plugin
config entry "cn=ACL Plugin,cn=plugins,cn=config".
- The constants were replaced with variables (same name in lower case)
- On init: the variables are initialized with the value contained in the
attribute, if it exists in config. Otherwise they are set to the defau
- The arrays that depend on these values are now dynamically allocated
- On init: acl__malloc_aclpb ( )
- On pre-operation: acl_conn_ext_constructor ( ... )
- The memory is freed:
- On shutdown: acl_destroy_aclpb_pool()
- On post-operation: acl_conn_ext_destructor ( ... )
- I also free the space for aclQueue in acl_destroy_aclpb_pool(), since
it is not done anywhere.
Platforms tested: Fedora 16, RHEL6
Reviewed by: rmeggins (and changed name of attribute slightly)
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=772778
Added initial screened field value.
Metadata Update from @nturpin:
- Issue assigned to rmeggins
- Issue set to the milestone: 1.2.10
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)
to comment on this ticket.