#6939 ipaserver.plugins.host.get_dn timeout due to unindexed search
Closed: fixed 3 years ago Opened 3 years ago by jbaldridge.

I have an IPA installation with around 7500 host entries. We've started to notice new host enrollment intermittently failing, and tracked the failures back to the following log entry in httpd's error logs:

Configured time limit exceeded while getting entries (base DN: cn=computers,cn=accounts,dc=domain,dc=com, filter: (&(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice))(serverhostname=hostname.domain.com)))

Going bit deeper, the 389 access log indicates the search is unindexed:

[09/May/2017:20:21:37.107626978 +0000] conn=3980 op=5 SRCH base="cn=computers,cn=accounts,dc=domain,dc=com" scope=2 filter="(&(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice))(serverHostName=hostname.domain.com))" attrs=""
[09/May/2017:20:21:39.379240002 +0000] conn=3980 op=5 RESULT err=3 tag=101 nentries=0 etime=3 notes=U

Finally, even more curious is that I noticed on all existing entries, serverHostName is the short hostname, while the above search is using the fqdn.

It seems like an index probably needs to be added to serverHostName, and hostname.split('.', 1)[0] should replace hostname at https://pagure.io/freeipa/blob/master/f/ipaserver/plugins/host.py#_585


host.py get_dn method:

    def get_dn(self, *keys, **options):
        hostname = keys[-1]
        dn = super(host, self).get_dn(hostname, **options)
        try:
            self.backend.get_entry(dn, [''])
        except errors.NotFound:
            try:
                entry_attrs = self.backend.find_entry_by_attr(
                    'serverhostname', hostname, self.object_class, [''],
                    DN(self.container_dn, api.env.basedn))
                dn = entry_attrs.dn
            except errors.NotFound:
                pass
        return dn

baseldap.py:

    def get_dn(self, *keys, **kwargs):
        if self.parent_object:
            parent_dn = self.api.Object[self.parent_object].get_dn(*keys[:-1])
        else:
            parent_dn = DN(self.container_dn, api.env.basedn)
        if self.rdn_attribute:
            try:
                entry_attrs = self.backend.find_entry_by_attr(
                    self.primary_key.name, keys[-1], self.object_class, [''],
                    DN(self.container_dn, api.env.basedn)
                )
            except errors.NotFound:
                pass
            else:
                return entry_attrs.dn
        if self.primary_key and keys[-1] is not None:
            return self.backend.make_dn_from_attr(
                self.primary_key.name, keys[-1], parent_dn
            )
        assert isinstance(parent_dn, DN)
        return parent_dn

IMO, removing the method from host.py can fix it. But I'm not sure if it would have side effects.

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.6

3 years ago

Metadata Update from @tdudlak:
- Issue assigned to tdudlak

3 years ago

master:

  • 22b0ae4 Create indexes for 'serverhostname' attribute

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata