On Wed, Jul 24, 2019 at 5:48 PM Till Hofmann <thofm...@fedoraproject.org> wrote: > > > > On 7/24/19 4:03 PM, Till Hofmann wrote: > > Hi François, > > > > Thanks for the reply! > > > > On 7/24/19 2:32 PM, François Cami wrote: > > > >>> > >>> Interestingly, during the setup of the replica, the setup is stuck for > >>> quite some time (~30 minutes) in the step " [1/28]: configuring > >>> certificate server instance". In the ns-slapd log, I can see a lot of the > >>> following: > >>> INFO - import_monitor_threads - import ipaca: Processed 40105 entries -- > >>> average rate 123.8/sec, recent rate 114.0/sec, hit ratio 100% > >>> I'm surprised by the number of entries. I had set up the same host as a > >>> replica in a previous try, but needed to remove it due to another error. > >>> May those be left-overs from the previous replica instance? I didn't see > >>> this happening on the first attempt. Before redoing the setup, I removed > >>> the host from the replica set with `ipa-replica-manage del --force`, from > >>> the csreplica with `ipa-csreplica-manage del --force`, and also deleted > >>> the host entry itself with `ipa host-del`. I also uninstalled the freeipa > >>> server on the replica host. > >> > >> Could you count the actual number of requests records in the o=ipaca > >> suffix and examine them? > > > > > > I'm not exactly sure what you mean (I don't have much experience with > > LDAP). Searching for "(objectclass=ipaca*)" gives me 2 results (but I > > guess that's not what you meant). On the replica, ns-slapd processed > > 267358 entries before finishing. > > OK, I was looking in the wrong place. The number of request records in > LDAP is 268721. I'm not sure what exactly I should be looking for, but I > don't see anything unusual.
I could be wrong but at 114 entries processed per second, 268721 would need 37 mins to complete and the timeout is at 5 mins (the 300 seconds above). Let me investigate a bit more and I'll get back to you. Cheers François > I'm currently looking into the ldap auth config of tomcat, I noticed > that it looks quite different compared to the master instance. > > Kind regards, > Till _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
