Slapd benötigt bis zu 50% CPU

Hallo Leute,
wir nutzen den UCS als Memberserver einer Windows 2012R2 Domäne. Auf dem UCS Server ist nur Zarafa und Fetchmail installiert,
Hat jemand eine Idee wie das kommen kann?
Unter messages habe ich folgede Logs:Aug 23 22:00:04 ucsserver kernel: [ 7776.795668] univention-dire[25460]: segfault at 0 ip 00007f90627f367f sp 00007fffc87c8028 error 4 in libc-2.13.so[7f90626d8000+182000] Aug 23 22:01:05 ucsserver kernel: [ 7837.358993] univention-dire[25503]: segfault at 0 ip 00007f567ce4767f sp 00007ffdf3c31b08 error 4 in libc-2.13.so[7f567cd2c000+182000] Aug 23 22:02:05 ucsserver kernel: [ 7897.938581] univention-dire[25547]: segfault at 0 ip 00007f434752067f sp 00007ffe255d9d48 error 4 in libc-2.13.so[7f4347405000+182000] Aug 23 22:03:06 ucsserver kernel: [ 7958.492570] univention-dire[25581]: segfault at 0 ip 00007f40714af67f sp 00007ffd111edc98 error 4 in libc-2.13.so[7f4071394000+182000] Aug 23 22:04:06 ucsserver kernel: [ 8019.061242] univention-dire[25607]: segfault at 0 ip 00007f1ece08967f sp 00007fff4384bb68 error 4 in libc-2.13.so[7f1ecdf6e000+182000] Aug 23 22:05:07 ucsserver kernel: [ 8079.628920] univention-dire[25768]: segfault at 0 ip 00007f7f6e18767f sp 00007fff10fc5538 error 4 in libc-2.13.so[7f7f6e06c000+182000] Aug 23 22:06:08 ucsserver kernel: [ 8140.190240] univention-dire[25794]: segfault at 0 ip 00007fd0559b067f sp 00007fff1f0e3f08 error 4 in libc-2.13.so[7fd055895000+182000]

Nun sind es sogar öfter mal bis zu 100%

Unter listener.log steht noch folgendes:
23.08.15 22:29:33.259 LISTENER ( WARN ) : initializing module well-known-sid-name-mapping
23.08.15 22:29:33.365 LISTENER ( ERROR ) : database error: c_get: Input/output error

  1. Muss eigentlich der AD Connector installiert sein?
  2. Der Eintrag _domaincontroller_master ist im DNS vorhanden. Brauch man den?

Ich habe nun folgende Anleitung gefunden:
sdb.univention.de/content/14/305 … cache.html

Bei Punkt 2:[code]root@ucsserver:/var/log/univention# eval “$(ucr shell)”
/usr/sbin/univention-directory-listener -F -b $ldap_base
-m /usr/lib/univention-directory-listener/system
-c /var/lib/univention-directory-listener -d $listener_debug_level
-x -ZZ -D cn=admin,$ldap_base -y /etc/ldap.secret
-g >/var/log/univention/listener.log 2>&1 &root@uc01ex02:/var/log/univention# /usr/sbin/univention-directory-listener -F -b $ldap_base \

-m /usr/lib/univention-directory-listener/system
23.08.15 23:42:17.987 DEBUG_INIT
23.08.15 23:42:17.993 LDAP ( ERROR ) : ldap_sasl_interactive_bind: Local error
23.08.15 23:42:47.994 LDAP ( ERROR ) : ldap_sasl_interactive_bind: Local error
23.08.15 23:43:17.995 LDAP ( ERROR ) : ldap_sasl_interactive_bind: Local error
23.08.15 23:43:47.996 LDAP ( ERROR ) : ldap_sasl_interactive_bind: Local error
23.08.15 23:44:17.997 LDAP ( ERROR ) : ldap_sasl_interactive_bind: Local error
23.08.15 23:44:47.998 LDAP ( ERROR ) : ldap_sasl_interactive_bind: Local error
23.08.15 23:45:17.999 LDAP ( ERROR ) : ldap_sasl_interactive_bind: Local error
23.08.15 23:45:48.000 LDAP ( ERROR ) : ldap_sasl_interactive_bind: Local error[/code]

Samba4 scheint auch nicht zu laufen…

[code]root@ucsserver:/var/log/univention# samba-tool drs showrepl

Failed to connect host 10.53.91.60 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 10.53.91.60 (ucsserver.kunde.lan) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class ‘samba.drs_utils.drsException’>): DRS connection to ucsserver.kunde.lan failed - drsException: DRS connection to ucsserver.kunde.lan failed: (-1073741258, ‘The connection was refused’)
File “/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py”, line 39, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File “/usr/lib/python2.7/dist-packages/samba/drs_utils.py”, line 54, in drsuapi_connect
raise drsException(“DRS connection to %s failed: %s” % (server, e))[/code]

Läuft denn überhaupt der slapd?

Für CPU-Last vom slapd sind oftmals fehlende Indizes ausschlaggebend. Um diese zu finden, kann man den LDAP-Server mit Debuginfos starten. Hier ist das gut beschrieben.

Ja, den AD-Connector benötigen Sie auf Mitgliedsservern. Siehe Dokumentation.

Ja, solche DNS-Einträge werden im UCS-LDAP benötigt für den UCS-Teil der Domäne.

Fehler unter /var/log/mail.err
php-mapi[29398]: MAPI error: 8004010f (method: zif_mapi_ab_openentry, line: 1128

root@ucsserver:/var/log# tail user.log Aug 24 07:18:25 ucsserver python2.7: pam_ldap: error trying to bind as user "uid=maro,ou=Administratoren,dc=kunde,dc=lan" (Invalid credentials) Aug 24 07:18:32 ucsserver python2.7: pam_ldap: error trying to bind as user "uid=maro,ou=Administratoren,dc=kunde,dc=lan" (Invalid credentials) Aug 24 07:46:04 ucsserver nagios3: Auto-save of retention data completed successfully. Aug 24 08:26:54 ucsserver nagios3: SERVICE NOTIFICATION: root@localhost;ucsserver.kunde.lan;UNIVENTION_REPLICATION;CRITICAL;notify-service-by-email;CRITICAL: no change of listener transaction id for last 10 checks (nid=25151 lid=) Aug 24 08:46:04 ucsserver nagios3: Auto-save of retention data completed successfully. Aug 24 09:19:42 ucsserver python2.7: pam_ldap: error trying to bind as user "uid=Administrator,cn=users,dc=kunde,dc=lan" (Invalid credentials) Aug 24 09:19:49 ucsserver python2.7: pam_ldap: error trying to bind as user "uid=Administrator,cn=users,dc=kunde,dc=lan" (Invalid credentials) Aug 24 09:20:01 ucsserver python2.7: pam_ldap: error trying to bind as user "uid=Administrator,cn=users,dc=kunde,dc=lan" (Invalid credentials) Aug 24 09:20:20 ucsserver python2.7: pam_ldap: error trying to bind as user "uid=Administrator,cn=users,dc=kunde,dc=lan" (Invalid credentials) Aug 24 09:46:04 ucsserver nagios3: Auto-save of retention data completed successfully.

Ja slapd läuft

Siehe:
top - 09:52:45 up 11:08, 3 users, load average: 2,98, 3,13, 2,96
Tasks: 279 total, 1 running, 278 sleeping, 0 stopped, 0 zombie
%Cpu(s): 29,2 us, 4,1 sy, 0,0 ni, 64,8 id, 1,0 wa, 0,0 hi, 0,9 si, 0,0 st
KiB Mem: 20607792 total, 12528332 used, 8079460 free, 447028 buffers
KiB Swap: 2097148 total, 0 used, 2097148 free, 9512864 cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3330 root 20 0 2743m 31m 13m S 229,5 0,2 3:44.84 slapd
4271 root 20 0 116m 2892 2288 S 20,0 0,0 0:30.12 rsyslogd
6121 root 20 0 682m 388m 11m S 5,0 1,9 11:44.90 zarafa-server
4867 mysql 20 0 504m 212m 10m S 3,7 1,1 15:00.95 mysqld
3040 www-data 20 0 230m 35m 16m S 3,0 0,2 0:01.63 apache2

Der Server ist in einer VMware hat 8 CPUs und 20GB RAM

Ich habe nun das Debug Level erhöht mit:

ucr set ldap/debug/level=-1
invoke-rc.d slapd restart
grep ‘not indexed’ /var/log/syslog

Syslog:

Aug 24 09:54:22 ucsserver slapd[3330]: ou Aug 24 09:54:22 ucsserver slapd[3330]: cn Aug 24 09:54:22 ucsserver slapd[3330]: cn Aug 24 09:54:22 ucsserver slapd[3330]: modifyTimestamp Aug 24 09:54:22 ucsserver slapd[3330]: Aug 24 09:54:22 ucsserver slapd[3330]: conn=1007 op=921 SRCH base="dc=kunde,dc=lan" scope=2 deref=0 filter="(&(&(zarafaAccount=1)(|(objectClass=zarafa-user)))(|(uid=kaja)))" Aug 24 09:54:22 ucsserver slapd[3330]: conn=1007 op=921 SRCH attr=objectClass zarafaSharedStoreOnly zarafaResourceType zarafaSecurityGroup entryUUID gidNumber ou cn cn modifyTimestamp Aug 24 09:54:22 ucsserver slapd[3330]: ==> limits_get: conn=1007 op=921 self="cn=ucsserver,cn=dc,cn=computers,dc=kunde,dc=lan" this="dc=kunde,dc=lan" Aug 24 09:54:22 ucsserver slapd[3330]: <== limits_get: type=DN match=USERS Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_search Aug 24 09:54:22 ucsserver slapd[3330]: mdb_dn2entry("dc=kunde,dc=lan") Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_dn2id("dc=kunde,dc=lan") Aug 24 09:54:22 ucsserver slapd[3330]: <= mdb_dn2id: got id=0x1 Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_entry_decode: Aug 24 09:54:22 ucsserver slapd[3330]: <= mdb_entry_decode Aug 24 09:54:22 ucsserver slapd[3330]: => access_allowed: search access to "dc=kunde,dc=lan" "entry" requested Aug 24 09:54:22 ucsserver slapd[3330]: => dn: [2] cn=admin,dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => acl_get: [3] attr entry Aug 24 09:54:22 ucsserver slapd[3330]: => acl_mask: access to entry "dc=kunde,dc=lan", attr "entry" requested Aug 24 09:54:22 ucsserver slapd[3330]: => acl_mask: to all values by "cn=ucsserver,cn=dc,cn=computers,dc=kunde,dc=lan", (=0) Aug 24 09:54:22 ucsserver slapd[3330]: <= check a_sockname_path: PATH=/var/run/slapd/ldapi Aug 24 09:54:22 ucsserver slapd[3330]: <= check a_dn_pat: uid=administrator,cn=users,dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: <= check a_dn_pat: * Aug 24 09:54:22 ucsserver slapd[3330]: <= acl_mask: [3] applying none(=0) (break) Aug 24 09:54:22 ucsserver slapd[3330]: <= acl_mask: [3] mask: none(=0) Aug 24 09:54:22 ucsserver slapd[3330]: => dn: [4] uid=administrator,cn=users,dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => dn: [5] uid=join-backup,cn=users,dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => dn: [6] uid=join-slave,cn=users,dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => acl_get: [7] attr entry Aug 24 09:54:22 ucsserver slapd[3330]: => acl_mask: access to entry "dc=kunde,dc=lan", attr "entry" requested Aug 24 09:54:22 ucsserver slapd[3330]: => acl_mask: to all values by "cn=ucsserver,cn=dc,cn=computers,dc=kunde,dc=lan", (none(=0)) Aug 24 09:54:22 ucsserver slapd[3330]: <= check a_group_pat: cn=domänen-admins,cn=groups,dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_entry_get: ndn: "cn=domänen-admins,cn=groups,dc=kunde,dc=lan" Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_entry_get: oc: "univentionGroup", at: "uniqueMember" Aug 24 09:54:22 ucsserver slapd[3330]: mdb_dn2entry("cn=domänen-admins,cn=groups,dc=kunde,dc=lan") Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_dn2id("cn=domänen-admins,cn=groups,dc=kunde,dc=lan") Aug 24 09:54:22 ucsserver slapd[3330]: <= mdb_dn2id: got id=0x4f Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_entry_decode: Aug 24 09:54:22 ucsserver slapd[3330]: <= mdb_entry_decode Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_entry_get: found entry: "cn=domänen-admins,cn=groups,dc=kunde,dc=lan" Aug 24 09:54:22 ucsserver slapd[3330]: mdb_entry_get: rc=0 Aug 24 09:54:22 ucsserver slapd[3330]: dnMatch -4#012#011"uid=administrator,cn=users,dc=kunde,dc=lan"#012#011"cn=ucsserver,cn=dc,cn=computers,dc=kunde,dc=lan" Aug 24 09:54:22 ucsserver slapd[3330]: dnMatch -3#012#011"uid=wead,ou=administratoren,dc=kunde,dc=lan"#012#011"cn=ucsserver,cn=dc,cn=computers,dc=kunde,dc=lan" Aug 24 09:54:22 ucsserver slapd[3330]: dnMatch 1#012#011"uid=cdkadmin,ou=administratoren,dc=kunde,dc=lan"#012#011"cn=ucsserver,cn=dc,cn=computers,dc=kunde,dc=lan" Aug 24 09:54:22 ucsserver slapd[3330]: dnMatch 4#012#011"uid=dracaradmin,ou=administratoren,dc=kunde,dc=lan"#012#011"cn=ucsserver,cn=dc,cn=computers,dc=kunde,dc=lan" Aug 24 09:54:22 ucsserver slapd[3330]: dnMatch -9#012#011"uid=avaya,ou=services,dc=kunde,dc=lan"#012#011"cn=ucsserver,cn=dc,cn=computers,dc=kunde,dc=lan" Aug 24 09:54:22 ucsserver slapd[3330]: dnMatch -3#012#011"uid=wein,ou=administratoren,dc=kunde,dc=lan"#012#011"cn=ucsserver,cn=dc,cn=computers,dc=kunde,dc=lan" Aug 24 09:54:22 ucsserver slapd[3330]: <= check a_dn_pat: * Aug 24 09:54:22 ucsserver slapd[3330]: <= acl_mask: [2] applying read(=rscxd) (break) Aug 24 09:54:22 ucsserver slapd[3330]: <= acl_mask: [2] mask: read(=rscxd) Aug 24 09:54:22 ucsserver slapd[3330]: => dn: [9] cn=admin-settings,cn=univention,dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [10] ^uid=([^,]+),cn=admin-settings,cn=univention,dc=kunde,dc=lan$ nsub: 1 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [11] ^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,dc=kunde,dc=lan$ nsub: 2 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [12] ^cn=([^,]+),cn=apps,cn=univention,dc=kunde,dc=lan$ nsub: 1 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [13] ^cn=apps,cn=univention,dc=kunde,dc=lan$ nsub: 0 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [15] ^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,dc=kunde,dc=lan$ nsub: 1 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [16] ^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,dc=kunde,dc=lan$ nsub: 1 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [17] ^cn=(Information|CloudConnection),cn=Virtual Machine Manager,dc=kunde,dc=lan$ nsub: 1 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [18] ^cn=([^,]+),cn=([^,]+),cn=temporary,cn=univention,dc=kunde,dc=lan$ nsub: 2 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [19] ^cn=([^,]+),cn=temporary,cn=univention,dc=kunde,dc=lan$ nsub: 1 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [20] ^cn=([^,]+),cn=temporary,cn=univention,dc=kunde,dc=lan$ nsub: 1 Aug 24 09:54:22 ucsserver slapd[3330]: => dn: [22] cn=computers,dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => dn: [23] dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => dn: [24] dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [25] ^cn=.*,cn=dc,cn=computers,dc=kunde,dc=lan$ nsub: 0 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [26] ^cn=.*,cn=memberserver,cn=computers,dc=kunde,dc=lan$ nsub: 0 Aug 24 09:54:22 ucsserver slapd[3330]: => dnpat: [27] ^cn=.*,cn=memberserver,cn=computers,dc=kunde,dc=lan$ nsub: 0 Aug 24 09:54:22 ucsserver slapd[3330]: => dn: [31] cn=idmap,cn=univention,dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => dn: [32] cn=idmap,cn=univention,dc=kunde,dc=lan Aug 24 09:54:22 ucsserver slapd[3330]: => acl_get: [33] attr entry Aug 24 09:54:22 ucsserver slapd[3330]: => acl_mask: access to entry "dc=kunde,dc=lan", attr "entry" requested Aug 24 09:54:22 ucsserver slapd[3330]: => acl_mask: to all values by "cn=ucsserver,cn=dc,cn=computers,dc=kunde,dc=lan", (read(=rscxd)) Aug 24 09:54:22 ucsserver slapd[3330]: <= check a_set_pat: user & [cn=Domänen-Admins,cn=groups,dc=kunde,dc=lan]/uniqueMember* Aug 24 09:54:22 ucsserver slapd[3330]: >>> dnNormalize: <cn=Domänen-Admins,cn=groups,dc=kunde,dc=lan> Aug 24 09:54:22 ucsserver slapd[3330]: <<< dnNormalize: <cn=domänen-admins,cn=groups,dc=kunde,dc=lan> Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_entry_get: ndn: "cn=domänen-admins,cn=groups,dc=kunde,dc=lan" Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_entry_get: oc: "(null)", at: "uniqueMember" Aug 24 09:54:22 ucsserver slapd[3330]: mdb_dn2entry("cn=domänen-admins,cn=groups,dc=kunde,dc=lan") Aug 24 09:54:22 ucsserver slapd[3330]: => mdb_dn2id("cn=domänen-admins,cn=groups,dc=kunde,dc=lan") Aug 24 09:54:22 ucsserver rsyslogd-2177: imuxsock begins to drop messages from pid 3330 due to rate-limiting

Benötige ich den AD Connector auch dann, wenn wir 2 Windows Domänen Controller 2012R2 haben und der UCSServer nur als Memberserver dient? Er hat keine Rolle im AD, er soll nur Mitglied sein und die User für Zarafa bereitstellen.

Muss der “Administrator” Administrator heißen? Wir hatten früher den Adminsitrator deaktiviert und einen neuen admin erstellt.

Ja, den AD-Connector brauchen Sie. Ich wieder hole mich hier gerne :slight_smile: Siehe Dokumentation, wieso er benötigt wird.

Administrator umbenennen: gute Frage, kann ich nicht wirklich beantworten.

Das, was Sie vom Syslog gepastet haben, ergibt erst einmal keinerlei Aufschluss. Findet das »grep« zum Thema »indexed« nichts im Syslog?

Ich frage deshalb so blöd, weil wir den früher nie benutzt haben und es immer funktioniert hat.
Wir hatte früher eine Windows 2000 Domäne und sind nun auf Windows 2012R2.

Wir haben nun 3 DCs Server. Muss ich im AD Connector alle 3 Einstellen und insatllieren oder reicht einer?

Syslog | grep indexd
Aug 24 10:07:47 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:10:54 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:11:42 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:14:18 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:17:48 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:18:06 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:18:30 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:18:54 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:20:30 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed

Im Connector genügt einer.

Für zarafaAccount sollten Sie unbedingt einen Index erstellen lassen. Fügen Sie dazu der UCR-Variable »ldap/index/eq« das Feld zarafaAccount hinzu. Danach den LDAP-Server beenden und die Indizes neu erstellen lassen, grob so:

ucr set "ldap/index/eq=$(ucr get ldap/index/eq),zarafaAccount" service slapd stop slapindex service slapd start

Danach erneut die LDAP-Suche probieren, z.B. auch einen »zarafa-admin --sync« ausführen und schauen, ob im syslog weiterhin Attribute auftauchen, die nicht indiziert sind.

Das habe ich nun ausgeführt:

Anbei das log:

Aug 24 10:31:14 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:31:14 ucsserver slapd[3330]: <= mdb_index_read 138 candidates
Aug 24 10:31:14 ucsserver slapd[3330]: <= mdb_index_read 1 candidates
Aug 24 10:35:32 ucsserver slapd[3330]: <= mdb_index_read: failed (-30798)
Aug 24 10:35:32 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:35:32 ucsserver slapd[3330]: <= mdb_index_read 138 candidates
Aug 24 10:35:32 ucsserver slapd[3330]: <= mdb_index_read 1 candidates
Aug 24 10:35:38 ucsserver slapd[3330]: <= mdb_index_read: failed (-30798)
Aug 24 10:35:38 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:35:38 ucsserver slapd[3330]: <= mdb_index_read 138 candidates
Aug 24 10:36:14 ucsserver slapd[3330]: <= mdb_index_read 4 candidates
Aug 24 10:36:32 ucsserver slapd[3330]: <= mdb_index_read: failed (-30798)
Aug 24 10:36:32 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:36:32 ucsserver slapd[3330]: <= mdb_index_read 138 candidates
Aug 24 10:36:32 ucsserver slapd[3330]: <= mdb_index_read 1 candidates
Aug 24 10:38:50 ucsserver slapd[3330]: <= mdb_index_read: failed (-30798)
Aug 24 10:38:56 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:38:56 ucsserver slapd[3330]: <= mdb_index_read 138 candidates
Aug 24 10:39:08 ucsserver slapd[3330]: <= mdb_index_read: failed (-30798)
Aug 24 10:39:08 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:39:08 ucsserver slapd[3330]: <= mdb_index_read 138 candidates
Aug 24 10:39:08 ucsserver slapd[3330]: <= mdb_index_read 1 candidates
Aug 24 10:41:32 ucsserver slapd[3330]: <= mdb_index_read: failed (-30798)
Aug 24 10:41:32 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:41:56 ucsserver slapd[3330]: <= mdb_index_read: failed (-30798)
Aug 24 10:41:56 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:41:56 ucsserver slapd[3330]: <= mdb_index_read 138 candidates
Aug 24 10:41:56 ucsserver slapd[3330]: <= mdb_index_read 1 candidates
Aug 24 10:44:44 ucsserver slapd[3330]: <= mdb_index_read: failed (-30798)
Aug 24 10:44:44 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:44:44 ucsserver slapd[3330]: <= mdb_index_read 138 candidates
Aug 24 10:44:44 ucsserver slapd[3330]: <= mdb_index_read 1 candidates
Aug 24 10:46:09 ucsserver slapd[3330]: <= mdb_index_read: failed (-30798)
Aug 24 10:46:09 ucsserver slapd[3330]: <= mdb_equality_candidates: (zarafaAccount) not indexed
Aug 24 10:46:09 ucsserver slapd[3330]: <= mdb_index_read 138 candidates
Aug 24 10:46:09 ucsserver slapd[3330]: <= mdb_index_read 1 candidates
Aug 24 10:47:06 ucsserver slapd[12529]: line 109 (index#011cn,givenName,mail,sn,uid pres,eq,sub,approx)
Aug 24 10:47:06 ucsserver slapd[12529]: index cn 0x071e
Aug 24 10:47:06 ucsserver slapd[12529]: index givenName 0x071e
Aug 24 10:47:06 ucsserver slapd[12529]: index mail 0x071e
Aug 24 10:47:06 ucsserver slapd[12529]: index sn 0x071e
Aug 24 10:47:06 ucsserver slapd[12529]: index uid 0x071e
Aug 24 10:47:06 ucsserver slapd[12529]: line 110 (index#011aRecord,automountInformation,description,displayName,macAddress,mailAlternativeAddress,mailPrimaryAddress,ou,relativeDomainName,univentionUDMPropertyLongDescription,univentionUDMPropertyShortDescription,zoneName pres,eq,sub)
Aug 24 10:47:06 ucsserver slapd[12529]: index aRecord 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index automountInformation 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index description 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index displayName 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index macAddress 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index mailAlternativeAddress 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index mailPrimaryAddress 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index ou 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index relativeDomainName 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyLongDescription 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyShortDescription 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: index zoneName 0x0716
Aug 24 10:47:06 ucsserver slapd[12529]: line 111 (index#011dhcpHWAddress,gidNumber,homeDirectory,krb5PrincipalName,memberUid,objectClass,uidNumber,uniqueMember,univentionMailHomeServer,univentionObjectFlag,univentionPolicyReference,univentionUDMPropertyCLIName,univentionUDMPropertyDefault,univentionUDMPropertyDeleteObjectClass,univentionUDMPropertyDoNotSearch,univentionUDMPropertyHook,univentionUDMPropertyLayoutOverwritePosition,univentionUDMPropertyLayoutOverwriteTab,univentionUDMPropertyLayoutPosition,univentionUDMPropertyLayoutTabAdvanced,univentionUDMPropertyLayoutTabName,univentionUDMPropertyLdapMapping,univentionUDMPropertyModule,univentionUDMPropertyMultivalue,univentionUDMPropertyObjectClass,univentionUDMPropertyOptions,univentionUDMPropertySyntax,univentionUDMPropertyTranslationLongDescription,univentionUDMPropertyTranslationShortDescription,univentionUDMPropertyTranslationTabName,univentionUDMPropertyValueMayChange,univentionUDMPropertyValueRequired,univentionUDMPropertyVersion pres,eq)
Aug 24 10:47:06 ucsserver slapd[12529]: index dhcpHWAddress 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index gidNumber 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index homeDirectory 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index krb5PrincipalName 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index memberUid 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index objectClass 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index uidNumber 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index uniqueMember 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionMailHomeServer 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionObjectFlag 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionPolicyReference 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyCLIName 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyDefault 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyDeleteObjectClass 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyDoNotSearch 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyHook 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyLayoutOverwritePosition 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyLayoutOverwriteTab 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyLayoutPosition 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyLayoutTabAdvanced 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyLayoutTabName 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyLdapMapping 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyModule 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyMultivalue 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyObjectClass 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyOptions 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertySyntax 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyTranslationLongDescription 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyTranslationShortDescription 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyTranslationTabName 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyValueMayChange 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyValueRequired 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMPropertyVersion 0x0006
Aug 24 10:47:06 ucsserver slapd[12529]: line 112 (index#011name pres,sub)
Aug 24 10:47:06 ucsserver slapd[12529]: index name 0x0712
Aug 24 10:47:06 ucsserver slapd[12529]: line 113 (index#011pTRRecord,sambaSID,univentionInventoryNumber eq,sub)
Aug 24 10:47:06 ucsserver slapd[12529]: index pTRRecord 0x0714
Aug 24 10:47:06 ucsserver slapd[12529]: index sambaSID 0x0714
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionInventoryNumber 0x0714
Aug 24 10:47:06 ucsserver slapd[12529]: line 114 (index#011shadowMax pres)
Aug 24 10:47:06 ucsserver slapd[12529]: index shadowMax 0x0002
Aug 24 10:47:06 ucsserver slapd[12529]: line 115 (index#011cNAMERecord,entryUUID,sambaAcctFlags,sambaDomainName,sambaGroupType,sambaPrimaryGroupSID,sambaSIDList,secretary,shadowExpire,univentionCanonicalRecipientRewriteEnabled,univentionLicenseModule,univentionLicenseObject,univentionNagiosHostname,univentionObjectType,univentionServerRole,univentionService,univentionShareGid,univentionShareSambaName,univentionShareWriteable,univentionUDMOptionModule,zarafaAccount eq)
Aug 24 10:47:06 ucsserver slapd[12529]: index cNAMERecord 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index entryUUID 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index sambaAcctFlags 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index sambaDomainName 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index sambaGroupType 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index sambaPrimaryGroupSID 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index sambaSIDList 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index secretary 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index shadowExpire 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionCanonicalRecipientRewriteEnabled 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionLicenseModule 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionLicenseObject 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionNagiosHostname 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionObjectType 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionServerRole 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionService 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionShareGid 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionShareSambaName 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionShareWriteable 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionUDMOptionModule 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: index zarafaAccount 0x0004
Aug 24 10:47:06 ucsserver slapd[12529]: line 116 (index#011associatedDomain,default,employeeNumber,univentionOperatingSystem,univentionSyntaxDescription sub)
Aug 24 10:47:06 ucsserver slapd[12529]: index associatedDomain 0x0710
Aug 24 10:47:06 ucsserver slapd[12529]: index employeeNumber 0x0710
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionOperatingSystem 0x0710
Aug 24 10:47:06 ucsserver slapd[12529]: index univentionSyntaxDescription 0x0710

Syslog mir Error gesucht kommt aber:

[quote]
Aug 24 10:55:06 ucsserver slapd[12530]: connection_read(43): input error=-2 id=5730, closing.
Aug 24 10:55:18 uc01ex02 slapd[12530]: connection_read(39): input error=-2 id=5878, closing.
Aug 24 10:55:28 uc01ex02 kernel: [43847.335999] univention-dire[13982]: segfault at 0 ip 00007f908b3c167f sp 00007ffc7f18df78 error 4 in libc-2.13.so[7f908b2a6000+182000]
Aug 24 10:55:30 uc01ex02 slapd[12530]: connection_read(43): input error=-2 id=6079, closing.[/quote]

Wo finde ich das:
Unter Konfiguration wird der Einrichtungs-Status des Connectors angezeigt. Durch Klick auf UCS Active Directory Connector einrichten kann die Konfiguration des AD Connectors begonnen werden


Die Index-Meldungen sehen jetzt ja soweit gut aus. Wie sieht es denn mit der CPU-Last aus?

Den AD-Connector brauchen Sie nicht manuell zu konfigurieren. Das geschieht bereits vollautomatisch während der Installation, wenn Sie dem AD als Mitgliedsserver beitreten.

die CPU last ist leider immer noch hoch

Log:

cat syslog | grep fail Aug 24 11:06:37 ucsserver slapd[12530]: ber_get_next on fd 45 failed errno=0 (Success) Aug 24 11:06:37 ucsserver slapd[12530]: <= mdb_entry_get: failed to find attribute uniqueMember Aug 24 11:06:37 ucsserver slapd[12530]: <= mdb_entry_get: failed to find attribute uniqueMember Aug 24 11:06:37 ucsserver slapd[12530]: <= mdb_entry_get: failed to find attribute uniqueMember Aug 24 11:06:37 ucsserver slapd[12530]: ber_get_next on fd 41 failed errno=0 (Success) Aug 24 11:06:37 ucsserver slapd[12530]: <= mdb_entry_get: failed to find attribute uniqueMember Aug 24 11:06:37 ucsserver slapd[12530]: <= mdb_entry_get: failed to find attribute uniqueMember Aug 24 11:06:37 ucsserver slapd[12530]: <= mdb_entry_get: failed to find attribute uniqueMember

Bleibt die Last auch weiterhin so hoch, wenn Sie das Debuglevel wieder auf 0 setzen und den slapd einmal neu starten?

Habe ich nun gemacht…aber noch mehr CPU last

top - 11:26:15 up 12:41, 3 users, load average: 2,87, 2,42, 2,64
Tasks: 283 total, 2 running, 281 sleeping, 0 stopped, 0 zombie
%Cpu(s): 9,4 us, 0,4 sy, 0,0 ni, 89,7 id, 0,2 wa, 0,0 hi, 0,3 si, 0,0 st
KiB Mem: 20607792 total, 13979316 used, 6628476 free, 685520 buffers
KiB Swap: 2097148 total, 0 used, 2097148 free, 10579800 cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
19375 root 20 0 2690m 23m 11m S 62,5 0,1 0:14.20 slapd
19158 www-data 20 0 225m 29m 15m S 2,7 0,1 0:00.38 apache2
6121 root 20 0 711m 433m 11m S 2,0 2,2 17:42.31 zarafa-server
18929 www-data 20 0 227m 32m 16m S 2,0 0,2 0:01.34 apache2
19164 www-data 20 0 225m 28m 14m S 1,7 0,1 0:00.15 apache2
31298 fetchmai 20 0 40840 7772 4500 S 1,7 0,0 1:25.93 fetchmail
4867 mysql 20 0 504m 211m 10m S 1,0 1,1 22:31.14 mysqld
8040 Administ 20 0 576m 137m 50m S 1,0 0,7 8:17.01 firefox
19168 www-data 20 0 224m 27m 14m S 1,0 0,1 0:00.12 apache2

Syslog:

Aug 24 11:26:05 ucsserver rsyslogd-2177: imuxsock begins to drop messages from pid 12530 due to rate-limiting
Aug 24 11:26:05 ucsserver root: /etc/init.d/slapd restart (pid: 19319, ppid:19302 invoke-rc.d)
Aug 24 11:26:05 ucsserver root: /etc/init.d/slapd stop (pid: 19332, ppid:19319 slapd)
Aug 24 11:26:05 ucsserver root: /etc/init.d/slapd start (pid: 19360, ppid:19319 slapd)
Aug 24 11:26:05 ucsserver slapd[19374]: @(#) $OpenLDAP: slapd  (Mar 17 2015 12:50:06) $#012#011root@ladda:/var/build/temp/tmp.1KyAPTCr1s/pbuilder/openldap-2.4.40/debian/build/servers/slapd
Aug 24 11:26:51 ucsserver kernel: [45729.266058] univention-dire[19466]: segfault at 0 ip 00007f7f7ea4367f sp 00007fff91df56e8 error 4 in libc-2.13.so[7f7f7e928000+182000]
Aug 24 11:26:54 ucsserver nagios3: SERVICE NOTIFICATION: root@localhost;ucsserver.kunde.lan;UNIVENTION_REPLICATION;CRITICAL;notify-service-by-email;CRITICAL: no change of listener transaction id for last 10 checks (nid=25179 lid=)
Aug 24 11:27:51 ucsserver kernel: [45789.889177] univention-dire[19530]: segfault at 0 ip 00007f82dd13e67f sp 00007fff546ad668 error 4 in libc-2.13.so[7f82dd023000+182000]
Aug 24 11:28:52 ucsserver kernel: [45850.442158] univention-dire[19620]: segfault at 0 ip 00007faf35cc267f sp 00007fff95315bd8 error 4 in libc-2.13.so[7faf35ba7000+182000]
Aug 24 11:29:53 ucsserver kernel: [45911.031091] univention-dire[19688]: segfault at 0 ip 00007f88904ae67f sp 00007ffce11cbc08 error 4 in libc-2.13.so[7f8890393000+182000]
Aug 24 11:30:02 ucsserver /USR/SBIN/CRON[19850]: (root) CMD (if [ -x /usr/sbin/univention-pkgdb-check ]; then /usr/sbin/univention-pkgdb-check; fi)
Aug 24 11:30:02 ucsserver /USR/SBIN/CRON[19852]: (root) CMD (/usr/sbin/univention-mrtg)
Aug 24 11:30:02 ucsserver /USR/SBIN/CRON[19860]: (root) CMD (  if [ -x /usr/sbin/univention-umount-homedirs ]; then /usr/sbin/univention-umount-homedirs; fi)
Aug 24 11:30:02 ucsserver /USR/SBIN/CRON[19892]: (root) CMD (if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ] && [ -d "$(grep '^[[:space:]]*[^#]*[[:space:]]*WorkDir' /etc/mrtg.cfg | awk '{ print $NF }')" ]; then mkdir -p /var/log/mrtg ; env LANG=C /usr/bin/mrtg /etc/mrtg.cfg 2>&1 | tee -a /var/log/mrtg/mrtg.log ; fi)
Aug 24 11:30:02 ucsserver /USR/SBIN/CRON[19910]: (root) CMD (/usr/sbin/jitter 600 /usr/share/univention-samba/slave-sync >>/var/log/univention/samba-sync.log 2>&1)
Aug 24 11:30:02 ucsserver /USR/SBIN/CRON[19917]: (root) CMD (  [ -x /usr/lib/univention-pam/ldap-group-to-file.py ] && /usr/lib/univention-pam/ldap-group-to-file.py --check_member)
Aug 24 11:30:02 ucsserver /USR/SBIN/CRON[19919]: (root) CMD ([ -x /usr/sbin/univention-system-stats ] && /usr/sbin/univention-system-stats >/dev/null)
Aug 24 11:30:53 ucsserver kernel: [45971.891987] univention-dire[20088]: segfault at 0 ip 00007fa635a1467f sp 00007fff6f8589f8 error 4 in libc-2.13.so[7fa6358f9000+182000]
Aug 24 11:31:54 ucsserver kernel: [46032.479513] univention-dire[20199]: segfault at 0 ip 00007f91376a867f sp 00007ffff69a4208 error 4 in libc-2.13.so[7f913758d000+182000]
root@ucsserver:/var/log#

Evtl. liegt das auch an den Anmeldungen. Verwenden Sie den Passwort-Synchronisations-Mechanismus zum AD? Falls nicht, sollten Sie den einrichten. Das ist in einem Support-Datenbank-Artikel beschrieben, aber auch im Admin-Handbuch.

Hallo,
ich habe nun das MSI Paket am AD installiert. Danach finde ich auf dem Domain Controller aber kein Programm?

Die Passwörter von der AD waren die Passwörter zur Zarafa Anmeldung. Aber ein Connector hatte ich bisher noch nie installiert.
Ist der erst ab Windows Server 2012 von nöten?

Ich habe nun das ausgeführt:

ucr set connector/ad/ldap/binddn=Administrator
ucr set connector/ad/ldap/bindpw=/etc/univention/connector/password
touch /etc/univention/connector/password
chmod 600 /etc/univention/connector/password
echo -n “Administrator password” > /etc/univention/connector/password

Habe danach den slapd neu gestartet. Das Syslog sieht aber genau gleich aus und der Dienst läuft immer noch mit hoher Last !!!

Bitte lesen Sie sich die Artikel, die ich verlinkt habe, beide noch einmal gründlich durch. Dort ist deutlich mehr zu tun, als nur ein paar »ucr set…« auszuführen. Gerade unter Windows müssen Zertifikate in den richtigen Ordner kopiert und der Dienst dort dann neu gestartet werden.

Mal ganz zurück zum Anfang: ist das ein neues Verhalten des Servers? Haben Sie im Vorfeld irgend etwas groß verändert? Haben Sie den Server schon mal rebootet?

Ja Server wurde schon 10 mal neu gestartet. Der Windows Domain und der UCS Server wurden letze Woche neu installiert.
Habe den Server letzen Abend 3-4 neu gestartet

Wir haben die Zarafa Datenbank diese Woche Importiert per mysql < backup.sql
Dann eben her hook-store die User der Datenbank zugeordnet.

Das mit dem Zertifikat mache ich gleich

Mastodon