Bug 2021998

Summary: IPA server (389ds) is very slow in execution of some searches (`&(memberOf=...)(objectClass=ipaHost)` in particular) [rhel-8.5.0.z]
Product: Red Hat Enterprise Linux 8 Reporter: RHEL Program Management Team <pgm-rhel-tools>
Component: 389-ds-baseAssignee: LDAP Maintainers <ldap-maint>
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: urgent Docs Contact:
Priority: high    
Version: 8.4CC: adumitru, atikhono, dminnich, dwysocha, grajaiya, jhrozek, ldap-maint, lslebodn, mreynolds, msauton, mzidek, pbrezina, pkulkarn, ppolawsk, rcritten, sbose, sgouvern, spichugi, tbordaz, tmihinto, tscherf, vvasilev
Target Milestone: rcKeywords: Performance, Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-1.4-8050020211111125856.4051e825 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1913199 Environment:
Last Closed: 2021-12-21 09:57:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1913199    
Bug Blocks:    

Comment 4 sgouvern 2021-12-08 11:56:34 UTC 
With 389-ds-base-1.4.3.23-12.module+el8.5.0+13329+4096c77a.x86_64

Tested with the steps from https://bugzilla.redhat.com/show_bug.cgi?id=1913199#c54 :

With targetfilter cache disabled :

# time ldapsearch -LLL -h localhost -p 389 -D "uid=demo_user,ou=people,dc=example,dc=com" -w password -b "ou=aci,dc=example,dc=com"
...
real	0m4.829s
user	0m0.033s
sys	0m0.022s

etime for the search operation in the access log : etime=4.7724

[08/Dec/2021:05:39:03.526793875 -0500] conn=507 op=1 SRCH base="ou=aci,dc=example,dc=com" scope=2 filter="(objectClass=*)" attrs=ALL
[08/Dec/2021:05:39:08.299059284 -0500] conn=507 op=1 RESULT err=0 tag=101 nentries=501 wtime=0.000222747 optime=4.772269893 etime=4.772488960 notes=U details="Partially Unindexed Filter"

With targetfilter cache enabled :

# time ldapsearch -LLL -h localhost -p 389 -D "uid=demo_user,ou=people,dc=example,dc=com" -w password -b "ou=aci,dc=example,dc=com"
...
real	0m0.511s
user	0m0.010s
sys	0m0.018s

etime for the search operation in the access log : 0.4668

[08/Dec/2021:05:36:30.707609036 -0500] conn=505 op=1 SRCH base="ou=aci,dc=example,dc=com" scope=2 filter="(objectClass=*)" attrs=ALL
[08/Dec/2021:05:36:31.174363485 -0500] conn=505 op=1 RESULT err=0 tag=101 nentries=501 wtime=0.000109943 optime=0.466753832 etime=0.466859809 notes=U details="Partially Unindexed Filter"

The operation is significantly faster when targetfilter cache is enabled.
Marking as verified
Comment 12 errata-xmlrpc 2021-12-21 09:57:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:5234