I have an IPA installation with around 7500 host entries. We've started to notice new host enrollment intermittently failing, and tracked the failures back to the following log entry in httpd's error logs:
Configured time limit exceeded while getting entries (base DN: cn=computers,cn=accounts,dc=domain,dc=com, filter: (&(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice))(serverhostname=hostname.domain.com)))
Going bit deeper, the 389 access log indicates the search is unindexed:
[09/May/2017:20:21:37.107626978 +0000] conn=3980 op=5 SRCH base="cn=computers,cn=accounts,dc=domain,dc=com" scope=2 filter="(&(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice))(serverHostName=hostname.domain.com))" attrs="" [09/May/2017:20:21:39.379240002 +0000] conn=3980 op=5 RESULT err=3 tag=101 nentries=0 etime=3 notes=U
Finally, even more curious is that I noticed on all existing entries, serverHostName is the short hostname, while the above search is using the fqdn.
serverHostName
It seems like an index probably needs to be added to serverHostName, and hostname.split('.', 1)[0] should replace hostname at https://pagure.io/freeipa/blob/master/f/ipaserver/plugins/host.py#_585
hostname.split('.', 1)[0]
hostname
host.py get_dn method:
def get_dn(self, *keys, **options): hostname = keys[-1] dn = super(host, self).get_dn(hostname, **options) try: self.backend.get_entry(dn, ['']) except errors.NotFound: try: entry_attrs = self.backend.find_entry_by_attr( 'serverhostname', hostname, self.object_class, [''], DN(self.container_dn, api.env.basedn)) dn = entry_attrs.dn except errors.NotFound: pass return dn
baseldap.py:
def get_dn(self, *keys, **kwargs): if self.parent_object: parent_dn = self.api.Object[self.parent_object].get_dn(*keys[:-1]) else: parent_dn = DN(self.container_dn, api.env.basedn) if self.rdn_attribute: try: entry_attrs = self.backend.find_entry_by_attr( self.primary_key.name, keys[-1], self.object_class, [''], DN(self.container_dn, api.env.basedn) ) except errors.NotFound: pass else: return entry_attrs.dn if self.primary_key and keys[-1] is not None: return self.backend.make_dn_from_attr( self.primary_key.name, keys[-1], parent_dn ) assert isinstance(parent_dn, DN) return parent_dn
IMO, removing the method from host.py can fix it. But I'm not sure if it would have side effects.
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.6
Metadata Update from @tdudlak: - Issue assigned to tdudlak
master:
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.