[openstack-dev] Keystone Split Backend LDAP Hang Problem

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Wed Aug 7 20:56:20 UTC 2013 

Hello,

I ran into an issue/problem with keystone and it is ok to simply tell me to "don't do that", but I am wondering how others approach this problem.

I have the keystone H-2 split backend code connected the HP Enterprise Directory which is humongous in size. From that directory I have only one user configured with a project role in keystone. When I performed the following REST API call:
GET:   http://15.253.58.141:35357/v3/users

The keystone server took almost an hour and a half to process my request before responding with the correct information:

2013-07-28 08:54:24    DEBUG [keystone.common.ldap.core] LDAP bind: dn=cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-28 08:54:25    DEBUG [keystone.common.ldap.core] In get_connection 6 user: cn=CloudOSKeystoneDev, ou=Applications, o=hp.com
2013-07-28 08:54:25    DEBUG [keystone.common.ldap.core] MY query in _ldap_get_all filter: None, query: (&(objectClass=hpPerson))
2013-07-28 08:54:25    DEBUG [keystone.common.ldap.core] LDAP search: dn=ou=People,o=hp.com, scope=2, query=(&(objectClass=hpPerson)), attrs=['None', 'userPassword', 'hpStatus', 'mail', 'cn']
2013-07-28 10:20:10     INFO [access] 15.253.57.88 - - [28/Jul/2013:17:20:10 +0000] "GET http://15.253.58.141:35357/v3/users HTTP/1.0" 200 87832184
2013-07-28 10:20:25    DEBUG [eventlet.wsgi.server] 15.253.57.88 - - [28/Jul/2013 10:20:25] "GET /v3/users HTTP/1.1" 200 87832342 5160.268039

REST API response:

{
    "user": {
        "name": "mark.m.miller at hp.com",
        "links": {
            "self": "http://localhost:5000/v3/users/mark.m.miller@hp.com"
        },
        "enabled": "Active",
        "domain_id": "default",
        "email": "mark_m_miller at hp.com",
        "id": "mark.m.miller at hp.com"
    }
}

After completing my request I found that Keystone was locked up and required a stop/start service command to get it responding again. How do other people with ldap backends handle this problem?

Thanks,

Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130807/c0294bac/attachment.html>

More information about the OpenStack-dev mailing list