Bug 772778
| Summary: | acl cache overflown problem | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Rich Megginson <rmeggins> | |
| Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> | |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.3 | CC: | amsharma, jgalipea, kzeus, nrturpin | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | 389-ds-base-1.2.10.0-1.el6 | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: Creating over 200 ACIs in the directory server, and having entries that have to be evaulated against all 200 of these ACIs.
Consequence: ACI evaluation would fail with the error message acl_TestRights - cache overflown
Fix: Change the default limit for the ACI cache to 2000, and allow it to be configurable with the new nsslapd-aclpb-max-selected-acls attribute in cn=ACL Plugin,cn=plugins,cn=config
Result: Much harder to trigger the acl_TestRights - cache overflown message, and allow customers with many ACIs to raise the limit.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 782414 (view as bug list) | Environment: | ||
| Last Closed: | 2012-06-20 07:11:52 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 782414 | |||
|
Description
Rich Megginson
2012-01-09 23:08:18 UTC
please add steps to reproduce/verify this issue Thanks (In reply to comment #1) > please add steps to reproduce/verify this issue > Thanks To reproduce this issue we do ldapsearch on an internal database that contains many nodes having acl restrictions. In our case the number of ACIs is 1500++. This probably means that the acl plugin needs to check permissions on too many nodes. In any case we managed to reproduce the overflow every time we run ldapsearch. Unfortunately, we are unable to disclose the data set we have used to test this, but we hope this information can be helpful. svn ci -m "added tests for cache overflow and new config attr nsslapd-aclpb-max-selected-acls for bug 772778" Adding acl/data/cacheoverflow.ldif Sending acl/keywords.sh Sending acl/misc.sh Sending acl/tet_scen.sh Transmitting file data .... Committed revision 6472. Acl startup(o=ace industry,c=us) 100% (1/1) Acl run(o=ace industry,c=us) 100% (373/373) Acl cleanup 100% (1/1) Hence marking as VERIFIED.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: Creating over 200 ACIs in the directory server, and having entries that have to be evaulated against all 200 of these ACIs.
Consequence: ACI evaluation would fail with the error message acl_TestRights - cache overflown
Fix: Change the default limit for the ACI cache to 2000, and allow it to be configurable with the new nsslapd-aclpb-max-selected-acls attribute in cn=ACL Plugin,cn=plugins,cn=config
Result: Much harder to trigger the acl_TestRights - cache overflown message, and allow customers with many ACIs to raise the limit.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0813.html |