RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1615924 - Fine grained password policy can impact search performance [rhel-7.5.z]
Summary: Fine grained password policy can impact search performance [rhel-7.5.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.7-Alt
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1593807
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-14 14:23 UTC by Oneata Mircea Teodor
Modified: 2021-12-10 17:17 UTC (History)
11 users (show)

Fixed In Version: 389-ds-base-1.3.7.5-26.el7_5
Doc Type: Bug Fix
Doc Text:
When a search evaluates the "shadowAccount" entry, Directory Server adds the shadow attributes to the entry. If the fine-grained password policy is enabled, the "shadowAccount" entry can contain its own "pwdpolicysubentry" policy attribute. Previously, to retrieve this attribute, the server started an internal search for each "shadowAccount" entry, which was unnecessary because the entry was already known to the server. With this update, Directory Server only starts internal searches if the entry is not known. As a result, the performance of searches, such as response time and throughput, is improved.
Clone Of: 1593807
Environment:
Last Closed: 2018-09-25 19:06:11 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2757 0 None None None 2018-09-25 19:06:53 UTC

Description Oneata Mircea Teodor 2018-08-14 14:23:15 UTC 
This bug has been copied from bug #1593807 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 3 Viktor Ashirov 2018-08-30 14:51:28 UTC 
Build tested: 389-ds-base-1.3.7.5-27.el7_5.x86_64

Before the fix (build -25):
# ldapsearch -xLLL -b dc=example,dc=com '(uid=09999)'
dn: uid=09999,ou=People,dc=example,dc=com
uid: 09999
uid: testnew09999
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
sn: testnew09999
cn: testnew09999
givenName: testnew09999
description: description09999
mail: testnew09999
uidNumber: 309999
gidNumber: 409999
shadowMin: 0
shadowMax: 99999
shadowInactive: 30
shadowWarning: 7
homeDirectory: /home/uid09999
shadowLastChange: 17773

In the access logs:
[30/Aug/2018:14:36:03.572822516 +0000] conn=17 fd=64 slot=64 connection from ::1 to ::1
[30/Aug/2018:14:36:03.573064348 +0000] conn=17 op=0 BIND dn="" method=128 version=3
[30/Aug/2018:14:36:03.573203171 +0000] conn=17 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000309934 dn=""
[30/Aug/2018:14:36:03.573543220 +0000] conn=17 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=09999)" attrs=ALL
[30/Aug/2018:14:36:03.573858437 +0000] conn=Internal op=-1 SRCH base="uid=09999,ou=people,dc=example,dc=com" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
[30/Aug/2018:14:36:03.573989379 +0000] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0.0000158917
[30/Aug/2018:14:36:03.574201475 +0000] conn=17 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000839187
[30/Aug/2018:14:36:03.574717051 +0000] conn=17 op=2 UNBIND
[30/Aug/2018:14:36:03.574743698 +0000] conn=17 op=2 fd=64 closed - U1


# ldclt -b "ou=people,dc=example,dc=com" -f uid=09999 -e esearch -I 32 -N 10
ldclt version 4.23
ldclt[1220]: Starting at Thu Aug 30 14:42:02 2018

ldclt[1220]: Average rate: 20849.60/thr  (20849.60/sec), total: 208496
ldclt[1220]: Average rate: 19070.30/thr  (19070.30/sec), total: 190703
ldclt[1220]: Average rate: 20754.90/thr  (20754.90/sec), total: 207549
ldclt[1220]: Average rate: 20763.00/thr  (20763.00/sec), total: 207630
ldclt[1220]: Average rate: 18704.90/thr  (18704.90/sec), total: 187049
ldclt[1220]: Average rate: 20681.30/thr  (20681.30/sec), total: 206813
ldclt[1220]: Average rate: 20674.30/thr  (20674.30/sec), total: 206743
ldclt[1220]: Average rate: 20155.40/thr  (20155.40/sec), total: 201554
ldclt[1220]: Average rate: 20670.30/thr  (20670.30/sec), total: 206703
ldclt[1220]: Average rate: 20770.40/thr  (20770.40/sec), total: 207704
ldclt[1220]: Number of samples achieved. Bye-bye...
ldclt[1220]: All threads are dead - exit.
ldclt[1220]: T002: thread is dead.
ldclt[1220]: Global average rate: 203094.41/thr  (20309.44/sec), total: 2030944
ldclt[1220]: Global number times "no activity" reports: never
ldclt[1220]: Global number of dead threads: 1
ldclt[1220]: Global no error occurs during this session.
ldclt[1220]: Ending at Thu Aug 30 14:43:42 2018
ldclt[1220]: Exit status 0 - No problem during execution.
ldclt[1220]: T003: thread is dead.
ldclt[1220]: T007: thread is dead.
ldclt[1220]: T007: thread is dead.


With the fix:

[30/Aug/2018:14:37:47.959443571 +0000] conn=2 fd=64 slot=64 connection from ::1 to ::1
[30/Aug/2018:14:37:47.959705138 +0000] conn=2 op=0 BIND dn="" method=128 version=3
[30/Aug/2018:14:37:47.959822415 +0000] conn=2 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000324388 dn=""
[30/Aug/2018:14:37:47.960266428 +0000] conn=2 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=09999)" attrs=ALL
[30/Aug/2018:14:37:47.960801248 +0000] conn=2 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000833225
[30/Aug/2018:14:37:47.961340496 +0000] conn=2 op=2 UNBIND
[30/Aug/2018:14:37:47.961377484 +0000] conn=2 op=2 fd=64 closed - U1

# ldclt -b "ou=people,dc=example,dc=com" -f uid=09999 -e esearch -I 32 -N 10
ldclt version 4.23
ldclt[1877]: Starting at Thu Aug 30 14:45:57 2018

ldclt[1877]: Average rate: 34292.00/thr  (34292.00/sec), total: 342920
ldclt[1877]: Average rate: 33961.00/thr  (33961.00/sec), total: 339610
ldclt[1877]: Average rate: 33089.50/thr  (33089.50/sec), total: 330895
ldclt[1877]: Average rate: 34167.60/thr  (34167.60/sec), total: 341676
ldclt[1877]: Average rate: 34308.20/thr  (34308.20/sec), total: 343082
ldclt[1877]: Average rate: 32118.20/thr  (32118.20/sec), total: 321182
ldclt[1877]: Average rate: 34664.60/thr  (34664.60/sec), total: 346646
ldclt[1877]: Average rate: 34318.10/thr  (34318.10/sec), total: 343181
ldclt[1877]: Average rate: 33888.50/thr  (33888.50/sec), total: 338885
ldclt[1877]: Average rate: 34459.90/thr  (34459.90/sec), total: 344599
ldclt[1877]: Number of samples achieved. Bye-bye...
ldclt[1877]: All threads are dead - exit.
ldclt[1877]: Global average rate: 339267.59/thr  (33926.76/sec), total: 3392676
ldclt[1877]: Global number times "no activity" reports: never
ldclt[1877]: Global no error occurs during this session.
ldclt[1877]: T006: thread is dead.
ldclt[1877]: Ending at Thu Aug 30 14:47:37 2018
ldclt[1877]: Exit status 0 - No problem during execution.
ldclt[1877]: T002: thread is dead.

Internal search is no longer present in the access logs and average search rate increased by ~60% (both tests were with nunc-stans on).

Marking as VERIFIED.
Comment 5 errata-xmlrpc 2018-09-25 19:06:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2757
Note You need to log in before you can comment on or make changes to this bug.