[Pki-users] Configuring pagesize/max request for LDAP certificate searches

Jared Ledvina jared at techsmix.net
Wed Dec 5 04:43:44 UTC 2018


Hi!

I've been looking into why on our production FreeIPA v4.5.4 installation, 'ipa host-del --updatedns FQDN' operations take 2-5 minutes per host. While looking into this I've discovered a variety of issues that I've fixed along the way. This appears to be the last significant one that I'm unable to sort out. 

During an IPA host deletion, it looks like FreeIPA has pki-tomcat revoke all issued certificates for the host being deleted. In our setup, this results in ~10 seconds of paginated LDAP searches to an VLV index per certificate. Typically, a host will have around 5-7 certificates issued and active for it. From the 389-ds access logs, we see entries like this:
https://paste.fedoraproject.org/paste/60eEuw1ldZh7SZyoIEqUCw

and then in the pki-tomcat debug logs, there are corresponding by timestamp entries like this:
[04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: getEntries: exception java.lang.ClassCastException
[04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: DBVirtualList: entries: 2000
[04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: DBVirtualList.getPage(11995)
[04/Dec/2018:18:38:38][ajp-bio-127.0.0.1-8009-exec-14]: DBVirtualList.getEntries()

Since the search result etime's according to LDAP are really quick (sub 0.0## seconds), I think the easiest way to speed these up would be to increase the page size / max request limit pki-tomcat is doing when it queries LDAP. 

>From my tracing through the code, I think that would involve setting this:
https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_1_FEDORA_27/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java#L90

which might be used in:
https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_1_FEDORA_27/base/server/cmscore/src/com/netscape/cmscore/dbs/DBVirtualList.java#L563-L586

Has anyone looked at this code path before? 2000 seems like a sane default but, we have 133,934+ entries and counting in our ou=certificateRepository,ou=ca,o=ipaca so, paging through those results for each issued certificate takes a noticeable amount of time. 

Of course, if any other information would help, let me know, more than happy to provide it!

Thanks, 
Jared

-- 
  Jared Ledvina
  jared at techsmix.net




More information about the Pki-users mailing list