Bug 1236148 - Slow replication when deleting large quantities of multi-valued attributes
Summary: Slow replication when deleting large quantities of multi-valued attributes
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
Petr Bokoc
Depends On:
TreeView+ depends on / blocked
Reported: 2015-06-26 17:11 UTC by Noriko Hosoi
Modified: 2016-05-10 19:19 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-
Doc Type: Enhancement
Doc Text:
Improved performance when deleting large quantities of multi-valued attributes The API used to delete entries with large amounts of multi-valued attributes has been replaced with a significantly faster one, causing a large performance improvement in such situations.
Clone Of:
Last Closed: 2016-05-10 19:19:35 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0737 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2016-05-10 22:29:13 UTC

Description Noriko Hosoi 2015-06-26 17:11:52 UTC
This bug is created as a clone of upstream ticket:

We write to our directory via Java API. When changing our groups the ModificationItems are lists of distinguished names of users. 

There is no problem when we add new uniqueMembers to our groups, but deleting them takes much too long on the second (replicated) master. (example deleting 850 members from 86000 takes 159 seconds on dldap02).

[01/Jun/2015:13:44:47 +0200] conn=141407 op=3 MOD dn="cn=TSNMAIL-VerteilerZugriff,cn=TSNMAIL,cn=Applications,ou=Groups,ou=TSN-AD,dc=tirol+gvOuId=AT:L7:LVN:000001,dc=gv,dc=at"
[01/Jun/2015:13:44:48 +0200] conn=141407 op=3 RESULT err=0 tag=103 nentries=0 etime=0.858000 csn=556c45b0000000010000

[01/Jun/2015:13:44:48 +0200] conn=141354 op=4 MOD dn="cn=TSNMAIL-VerteilerZugriff,cn=TSNMAIL,cn=Applications,ou=Groups,ou=TSN-AD,dc=tirol+gvOuId=AT:L7:LVN:000001,dc=gv,dc=at"
[01/Jun/2015:13:47:28 +0200] conn=141354 op=4 RESULT err=0 tag=103 nentries=0 etime=159.670000 csn=556c45b0000000010000

I found a closed ticket (#346) with some simmilarities, maybe the problem still exists in a multimaster replication environment when deleting attributes. Logging shows millions of calls to plugin_call_syntax_filter_ava uniqueMember=gvGid=AT:L7:TSN:i.weitlaner,ou=People,ou=TSN-AD,dc=tirol+gvOuId=AT:L7:LVN:000001,dc=gv,dc=at ?

Comment 2 Simon Pichugin 2016-03-15 11:45:08 UTC
$ rpm -qa | grep 389-ds-base

Verification scenario by lkrispen - https://fedorahosted.org/389/ticket/48195#comment:21
"I tested this fix with the following scenario:
have 2 masters, have a group with 90000 members, delete 200 members (members 70001-70200). 
without the fix, on the master it takes 1 sec, on the replica 40 sec
with the fix it takes 1 sec on both"

1) Setup two masters replication
master1 - 389
master2 - 390

2) Enable MemberOf Plugin on both instances:
$ ldapmodify -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
add: memberofgroupattr
memberofgroupattr: uniquemember
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

3) Increase nsslapd-maxbersize for adding big attributes on both instances:
$ ldapmodify -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123
dn: cn=config
changetype: modify
replace: nsslapd-maxbersize
nsslapd-maxbersize: 400000000

4) Add 90000 users and add them as members on the group
$ head 02users_usrA_grpA.ldif                                                                                                                                                                          
dn: uid=usrA1,dc=example,dc=com
uid: usrA1
objectClass: top
objectClass: person
objectClass: inetUser
sn: usrA1
cn: usrA1
memberOf: cn=grpA,ou=groups,dc=example,dc=com

dn: uid=usrA2,dc=example,dc=com

$ head grpA.ldif 
dn: cn=grpA,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfNames
cn: grpA
member: uid=usrA1,dc=example,dc=com
member: uid=usrA2,dc=example,dc=com
member: uid=usrA3,dc=example,dc=com
member: uid=usrA4,dc=example,dc=com
member: uid=usrA5,dc=example,dc=com
member: uid=usrA6,dc=example,dc=com

$ ldapmodify -a -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -f 02users_usrA_grpA.ldif 
$ ldapmodify -a -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -f grpA.ldif

5) Wait for replica
$ ldapsearch -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=grpA,ou=groups,dc=example,dc=com" |grep -i member: |wc -l
$ ldapsearch -x -p 390 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=grpA,ou=groups,dc=example,dc=com" |grep -i member: |wc -l

6) Delete 200 members from master1
$ head del200members.ldif 
dn: cn=grpA,ou=groups,dc=example,dc=com
changetype: modify
delete: member
member: uid=usrA70001,dc=example,dc=com
member: uid=usrA70002,dc=example,dc=com
member: uid=usrA70003,dc=example,dc=com
member: uid=usrA70004,dc=example,dc=com
member: uid=usrA70005,dc=example,dc=com
member: uid=usrA70006,dc=example,dc=com
member: uid=usrA70007,dc=example,dc=com
$ time ldapmodify -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -f del200members.ldif
modifying entry "cn=grpA,ou=groups,dc=example,dc=com"

real    0m0.325s
user    0m0.001s
sys     0m0.001s

7) Delete 200 members from master2
$ head del200members2.ldif 
dn: cn=grpA,ou=groups,dc=example,dc=com
changetype: modify
delete: member
member: uid=usrA60001,dc=example,dc=com
member: uid=usrA60002,dc=example,dc=com
member: uid=usrA60003,dc=example,dc=com
member: uid=usrA60004,dc=example,dc=com
member: uid=usrA60005,dc=example,dc=com
member: uid=usrA60006,dc=example,dc=com
member: uid=usrA60007,dc=example,dc=com
$ time ldapmodify -x -p 390 -h localhost -D "cn=Directory Manager" -w Secret123 -f del200members2.ldif
modifying entry "cn=grpA,ou=groups,dc=example,dc=com"

real    0m0.326s
user    0m0.001s
sys     0m0.001s

8) Check
$ ldapsearch -x -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=grpA,ou=groups,dc=example,dc=com" |grep -i member: |wc -l
$ ldapsearch -x -p 390 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=grpA,ou=groups,dc=example,dc=com" |grep -i member: |wc -l

Result: deletion times on master and replica are the same.

Marking as verified.

Comment 4 errata-xmlrpc 2016-05-10 19:19:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.