Discussion:
[Freeipa-users] Adjusting nsslapd-cachememsize
Lachlan Musicman
2017-03-17 02:20:17 UTC
Permalink
While going through the logs on the FreeIPA server, I noticed this:


WARNING: changelog: entry cache size 2097152 B is less than db size
12804096 B; We recommend to increase the entry cache size
nsslapd-cachememsize.


I have found a number of documents:

What it is:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Database_Attributes_under_cnNetscapeRoot_cnldbm_database_cnplugins_cnconfig_and_cnUserRoot_cnldbm_database_cnplugins_cnconfig-nsslapd_cachememsize.html

How to tune it:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/memoryusage.html


etc etc.

I have no idea of what the secret password is for the "cn=directory
manager" and can't find any information about where I might find it or
where or when it might have been set anywhere. I have found a number of
likely candidates, but none have worked.

I found this page:

https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

but I'd prefer to not change the password if possible.

cheers
L.



------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
Bob Hinton
2017-03-17 08:45:57 UTC
Permalink
Hi Lachlan,

This is probably a complete hack, but the way I've changed
nsslapd-cachememsize in the past is -

On each ipa replica in turn -

1. ipactl stop
2. vim /etc/dirsrv/slapd-DOMAIN/dse.ldif - (where DOMAIN is your
server's domain/realm - not sure which) find and change the value of
nsslapd-cachememsize
3. ipactl start

This seemed to work in that it made the error messages go away and it
made heavily loaded servers more stable. However, I've not tried this on
a recent version of ipa so it may no longer work or not be needed any more.

Regards

Bob
Post by Lachlan Musicman
WARNING: changelog: entry cache size 2097152 B is less than db size
12804096 B; We recommend to increase the entry cache size
nsslapd-cachememsize.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Database_Attributes_under_cnNetscapeRoot_cnldbm_database_cnplugins_cnconfig_and_cnUserRoot_cnldbm_database_cnplugins_cnconfig-nsslapd_cachememsize.html
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/memoryusage.html
etc etc.
I have no idea of what the secret password is for the "cn=directory
manager" and can't find any information about where I might find it or
where or when it might have been set anywhere. I have found a number
of likely candidates, but none have worked.
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
but I'd prefer to not change the password if possible.
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it
this way."
- Grace Hopper
Lachlan Musicman
2017-03-20 21:14:57 UTC
Permalink
Directly editing the lse.ldif didn't work. ipactl start hangs on
pki-tomcatd. I think I've broken it. I seem to recall ldap not liking being
edited by hand.

cheers
L.

------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
Post by Bob Hinton
Hi Lachlan,
This is probably a complete hack, but the way I've changed
nsslapd-cachememsize in the past is -
On each ipa replica in turn -
1. ipactl stop
2. vim /etc/dirsrv/slapd-DOMAIN/dse.ldif - (where DOMAIN is your
server's domain/realm - not sure which) find and change the value of
nsslapd-cachememsize
3. ipactl start
This seemed to work in that it made the error messages go away and it made
heavily loaded servers more stable. However, I've not tried this on a
recent version of ipa so it may no longer work or not be needed any more.
Regards
Bob
WARNING: changelog: entry cache size 2097152 B is less than db size
12804096 B; We recommend to increase the entry cache size
nsslapd-cachememsize.
What it is: https://access.redhat.com/documentation/en-US/Red_Hat_
Directory_Server/8.0/html/Configuration_and_Command_
Reference/Configuration_Command_File_Reference-Database_Attributes_under_
cnNetscapeRoot_cnldbm_database_cnplugins_cnconfig_and_cnUserRoot_cnldbm_
database_cnplugins_cnconfig-nsslapd_cachememsize.html
How to tune it: https://access.redhat.com/documentation/en-US/Red_Hat_
Directory_Server/8.1/html/Administration_Guide/memoryusage.html
etc etc.
I have no idea of what the secret password is for the "cn=directory
manager" and can't find any information about where I might find it or
where or when it might have been set anywhere. I have found a number of
likely candidates, but none have worked.
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
but I'd prefer to not change the password if possible.
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
Rich Megginson
2017-03-20 22:34:18 UTC
Permalink
Post by Lachlan Musicman
Directly editing the lse.ldif didn't work. ipactl start hangs on
pki-tomcatd. I think I've broken it. I seem to recall ldap not liking
being edited by hand.
You have to make sure dirsrv is not running before you edit dse.ldif.
Not sure if ipactl stop will wait until all services are not running.
Post by Lachlan Musicman
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it
this way."
- Grace Hopper
Hi Lachlan,
This is probably a complete hack, but the way I've changed
nsslapd-cachememsize in the past is -
On each ipa replica in turn -
1. ipactl stop
2. vim /etc/dirsrv/slapd-DOMAIN/dse.ldif - (where DOMAIN is
your server's domain/realm - not sure which) find and change
the value of nsslapd-cachememsize
3. ipactl start
This seemed to work in that it made the error messages go away and
it made heavily loaded servers more stable. However, I've not
tried this on a recent version of ipa so it may no longer work or
not be needed any more.
Regards
Bob
Post by Lachlan Musicman
WARNING: changelog: entry cache size 2097152 B is less than db
size 12804096 B; We recommend to increase the entry cache size
nsslapd-cachememsize.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Database_Attributes_under_cnNetscapeRoot_cnldbm_database_cnplugins_cnconfig_and_cnUserRoot_cnldbm_database_cnplugins_cnconfig-nsslapd_cachememsize.html
<https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Database_Attributes_under_cnNetscapeRoot_cnldbm_database_cnplugins_cnconfig_and_cnUserRoot_cnldbm_database_cnplugins_cnconfig-nsslapd_cachememsize.html>
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/memoryusage.html
<https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/memoryusage.html>
etc etc.
I have no idea of what the secret password is for the
"cn=directory manager" and can't find any information about where
I might find it or where or when it might have been set anywhere.
I have found a number of likely candidates, but none have worked.
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
<https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password>
but I'd prefer to not change the password if possible.
cheers
L.
------
The most dangerous phrase in the language is, "We've always done
it this way."
- Grace Hopper
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Petr Vobornik
2017-03-17 09:32:43 UTC
Permalink
WARNING: changelog: entry cache size 2097152 B is less than db size 12804096 B;
We recommend to increase the entry cache size nsslapd-cachememsize.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Database_Attributes_under_cnNetscapeRoot_cnldbm_database_cnplugins_cnconfig_and_cnUserRoot_cnldbm_database_cnplugins_cnconfig-nsslapd_cachememsize.html
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/memoryusage.html
etc etc.
I have no idea of what the secret password is for the "cn=directory manager" and
can't find any information about where I might find it or where or when it might
have been set anywhere. I have found a number of likely candidates, but none
have worked.
When you install a first IPA server, run ipa-kra-install, or install a
replica (before 4.4 replica promotion) you typically write that password.

I.e. in ipa-server-install you provide 2 passwords, one for directory
manager second for admin user.
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
but I'd prefer to not change the password if possible.
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this way."
- Grace Hopper
--
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...