Symantec Access Management

 View Only
Expand all | Collapse all

CA Directory Session Store warn log full of 'not indexed' messages

  • 1.  CA Directory Session Store warn log full of 'not indexed' messages

    Broadcom Employee
    Posted Jan 24, 2018 02:35 PM

    I have followed the instructions at this link to set up a session store in a lab environment with CA Directory r12.6.03 and CA SSO r12.7 sp01:

    https://docops.ca.com/ca-single-sign-on/12-7/en/installing/install-a-policy-server/configure-ldap-directory-servers-as-policy-session-and-key-stores/configure-ca-directory-as-a-session-store

    These instructions provide specific settings for cache-index management:

    set cache-index = smSessionId, smExpirationTime, smIdleExpirationTime, smSearchData, smVariableName, smFullVariableName;

    set lookup-cache = true;

    Over the past week, the SessionStore warn log has accumulated 1-4MB of nag messages each day for these three attributes with as many as 65,000 messages in a day:

    [5] 20180124.000033.676 WARN : RDN attribute 'cn' is not indexed
    [6] 20180124.000033.677 WARN : RDN attribute 'ou' is not indexed
    [6] 20180124.000033.677 WARN : RDN attribute 'smTimeValue' is not indexed

    It would be nice if the documentation recommended a configuration that doesn't clutter the log files with expected nuisance messages.  What's the best approach to eliminate these warning messages?  Should the offending attributes be added to the "set cache-index" statement, or are there other configuration directives that may be used to keep the logs from getting cluttered without having an adverse impact on performance by adding unnecessary indexes?



  • 2.  Re: CA Directory Session Store warn log full of 'not indexed' messages

    Posted Jan 24, 2018 03:55 PM

    Rich Rich_Faust

     

    I don't think the "warn-log" has logging level.

     

    Only "trace-log" has logging levels.

     

    If warn-log is the concern, then turn it off by either commenting "set warn-log" or using Close.

     

    As for the question on indexing, login to dxserver console and execute the command "get cache". This would suggest if the attributes are being used OR how heavily the attributes are being used. Based on that, we can decide, if an attribute needs to be indexed. 

    https://docops.ca.com/ca-directory/14/en/reference/commands-reference/get-cache-command-display-the-cache-configuration 



  • 3.  Re: CA Directory Session Store warn log full of 'not indexed' messages

    Broadcom Employee
    Posted Jan 25, 2018 11:00 AM

    I really want to keep the warn log enabled.  An immediate goal is to understand why the basic configuration recommended by the documentation results in all of these warning messages, then feed back any lessons learned to the documentation team.  And, when configuring a production environment with much higher load than my little development environment, I want the warn log functional and not cluttered daily by tens of thousands 'not indexed' message that could be obscuring more use warning message. Here's the output of the 'get cache;' command from my lab:


    dsa> get cache;
    get cache;

    Cache enabled
    cache-no-scan = FALSE
    interrupt-searches = FALSE
    dxgrid-queue = TRUE
    use-rdn-index = FALSE
    max-filter-norm-size(MB) = 100
    cache-index =
      objectClass dxDeleteTimestamp createTimestamp modifyTimestamp smSessionId smExpirationTime smIdleExpirationTime
    cache-reverse = (none)
    Counters: [ entries ( values search-hits) ]
      objectClass(0): 20(9 17)
      dxDeleteTimestamp(5): 0(0 0)
      createTimestamp(6): 9(8 0)
      modifyTimestamp(7): 3(3 0)
      smSessionId(23): 1(1 0)
      smExpirationTime(25): 1(1 0)
      smIdleExpirationTime(26): 1(1 0)
    Number of EIDs in use 9
    Memory used by cache: 5818240 out of 5830592
       (Memory initially used by data only: 1610032)
    Memory leaked 0

    Number of Cache Hits 159
    Number of Sequential Scans 0
    Free lists:
      EntryLists: 0
      Constrained values: 396
      Unconstrained values: 0
      IndexList: 88016
    dxgrid-db-location = /apps/CA/Directory/dxserver/data
    dxgrid-tx-location = /apps/CA/Directory/dxserver/data
    dxgrid-backup-location = /apps/CA/Directory/dxserver/data
    dxgrid-db-size = 4000000
    Used bytes in file = 4664
    Reclaimable bytes = 2564
    Total number of entries = 9
    disable-transaction-log = true
    disable-transaction-log-flush = true

    dsa>



  • 4.  Re: CA Directory Session Store warn log full of 'not indexed' messages

    Posted Jan 25, 2018 01:15 PM

    As we see, since this is a Session Store, there are no searches for 'cn' and 'ou'. So there is no point indexing those attributes. Regarding warn-log, I think it may be best to raise a Support Case to get a engineering perspective on it.

     

    Counters: [ entries ( values search-hits) ]
      objectClass(0): 20(9 17)
      dxDeleteTimestamp(5): 0(0 0)
      createTimestamp(6): 9(8 0)
      modifyTimestamp(7): 3(3 0)
      smSessionId(23): 1(1 0)
      smExpirationTime(25): 1(1 0)
      smIdleExpirationTime(26): 1(1 0)



  • 5.  Re: CA Directory Session Store warn log full of 'not indexed' messages

    Broadcom Employee
    Posted Jan 25, 2018 04:14 PM

    The offending attributes are NOT indexed, so I wouldn't expect to see any information regarding them reported by the 'get cache' statement.  It seems to me that cn, ou and smTimeValue attributes are referenced quite frequently.  For some reason, CA Directory is throwing warning messages on every request.

    Here's my SessionStore heirarchy:

    Notes:

    • cn=admin is the directory administrator and used by the policy server to bind to the session store.
    • ou=sessionstore is the container recommended by the documentation when implementing a CA Directory as a session store.
    • cn=<hostname>.rjf.mirimar.org:44442  - An entry like this is created for each policy server that binds to all of the session stores that replicate to each other. I can't tell that these entries ever get modified.
    • smTimeValue gets updated once a minute and has objectClasses of top (abstract) and smTimedLock (structural).

    I did a rough calculation and see that these 'not indexed' messages are written to the warn log once every 3 seconds.  

    There's an option that can be set before a DSA is loaded, "set use-rdn-index = true;".  I've been trying to learn more about that particular setting, but a search for 'use-rdn-index' in docops for r12.6 doesn't return any exact matches.  I think I'm going to try 'set cache-index = all' and see what happens.



  • 6.  Re: CA Directory Session Store warn log full of 'not indexed' messages

    Broadcom Employee
    Posted Jan 25, 2018 04:32 PM

    OK, I indexed all attributes and a much longer list is returned by 'get cache':

     

    dsa> get cache;
    get cache;

     

    Cache enabled
    cache-no-scan = FALSE
    interrupt-searches = FALSE
    dxgrid-queue = TRUE
    use-rdn-index = FALSE
    max-filter-norm-size(MB) = 100
    cache-index = all-attributes
    cache-reverse = (none)
    Counters: [ entries ( values search-hits) ]
     objectClass(0): 22(9 0)
     userPassword(2): 1(1 0)
     createTimestamp(6): 10(9 0)
     modifyTimestamp(7): 3(3 0)
     cn(13): 5(5 0)
     sn(14): 1(1 0)
     creatorsName(15): 9(1 0)
     smLastmClose(17): 1(1 0)
     smVersion(18): 1(1 0)
     smTimeValue(19): 2(2 0)
     smServerId(20): 2(1 0)
     modifiersName(21): 2(1 0)
     ou(22): 1(1 0)
     smSessionId(23): 2(2 0)
     smMaxIdleTime(24): 2(1 0)
     smExpirationTime(25): 2(2 0)
     smIdleExpirationTime(26): 2(2 0)
     smLastAccessTime(27): 2(2 0)
     smSessionBlob(28): 2(2 0)
     smSessionStatus(29): 2(1 0)
    Number of EIDs in use 10
    Memory used by cache: 7416520 out of 7426832
      (Memory initially used by data only: 1610032)
    Memory leaked 0

     

    Number of Cache Hits 9
    Number of Sequential Scans 0
    Free lists:
     EntryLists: 0
     Constrained values: 336
     Unconstrained values: 484
     IndexList: 0
    dxgrid-db-location = /apps/CA/Directory/dxserver/data
    dxgrid-tx-location = /apps/CA/Directory/dxserver/data
    dxgrid-backup-location = /apps/CA/Directory/dxserver/data
    dxgrid-db-size = 4000000
    Used bytes in file = 4664
    Reclaimable bytes = 1842
    Total number of entries = 10
    disable-transaction-log = true
    disable-transaction-log-flush = true

     

    dsa>

     

    The warn log is now quiet.



  • 7.  Re: CA Directory Session Store warn log full of 'not indexed' messages

    Posted Jan 25, 2018 05:01 PM

    This list is deceptive as of now. Give it about an hour or so then re-run "get cache". That will be a good representation of actuals.

     

    Counters: [ entries ( values search-hits) ]
     objectClass(0): 22(9 0)
     userPassword(2): 1(1 0)
     createTimestamp(6): 10(9 0)
     modifyTimestamp(7): 3(3 0)
     cn(13): 5(5 0)
     sn(14): 1(1 0)
     creatorsName(15): 9(1 0)
     smLastmClose(17): 1(1 0)
     smVersion(18): 1(1 0)
     smTimeValue(19): 2(2 0)
     smServerId(20): 2(1 0)
     modifiersName(21): 2(1 0)
     ou(22): 1(1 0)
     smSessionId(23): 2(2 0)
     smMaxIdleTime(24): 2(1 0)
     smExpirationTime(25): 2(2 0)
     smIdleExpirationTime(26): 2(2 0)
     smLastAccessTime(27): 2(2 0)
     smSessionBlob(28): 2(2 0)
     smSessionStatus(29): 2(1 0)

     

     

    https://docops.ca.com/ca-directory/14/en/reference/commands-reference/get-cache-command-display-the-cache-configuration

    The following entry shows that there are 1001235 values, all distinct, and 5879 searches used this index:

    uid: 1001235 (1001235 5879)

     

    By that definition

     

    cn(13): 5(5 0)

     

    There are 5 CN's and they are all distinct. Your screenshot of the tree confirms it. But there were 0 searches at this moment.

     

    If we want to see the Query, use the trace log and see what periodic queries are being sent to DSA. Again if we want to see real time dxconsole spews real time, with "set trace = < >"

     

    Regards

    Hubert

     



  • 8.  Re: CA Directory Session Store warn log full of 'not indexed' messages

    Broadcom Employee
    Posted Jan 26, 2018 03:21 PM

    Basically these messages is the way to let the administrator know that you are accessing/requesting an attribute that is not index while it should be for better performance.

     

    Please keep in mind that provided 'set cache-index' in the doc is only provided as an example using best practice. The way Session Store is configured to be used can change depending on a business need.

     

    If your DIT (Directory Information Tree) structures contains 'ou' and/or 'cn' and if that is being search for, you will see this WARN as an informational msg which I can understand why it can be nuisance due to the volume and rate it is being written to the dsaname_warn_timestamp.log file.

     

    I see why this is happening (at least for 'cn' part) is the fact that the doc first speaks of setting up 'set cache-index' parameter with an example of attribute names (which doesn't include 'ou' or 'cn') while later on it speaks of creating an administrative with an example of "cn=admin,o=forwardinc,c=us" (I see in your case it looks like cn=admin,dc=mirimar,dc=org) while you also have a DIT of "ou=sessionstore,dc=mirimar,dc=org" where the rest of the information is designed to reside.

     

    If you really do not want to see this informational WARM msgs, you can simply add those attribute names to 'cache-index' list and restart the DSA and it should go away.

     

    -Hitesh



  • 9.  Re: CA Directory Session Store warn log full of 'not indexed' messages

    Broadcom Employee
    Posted Feb 09, 2018 10:35 AM

    This thread was marked as having the correct answer, but I don't think we're done yet...

    hitesh.patel1.1, you stated:

    If your DIT (Directory Information Tree) structures contains 'ou' and/or 'cn' and if that is being search for, you will see this WARN as an informational msg which I can understand why it can be nuisance due to the volume and rate it is being written to the dsaname_warn_timestamp.log file.

    I created several dozen session cookies over a few days and confirmed they were added to the session store using an LDAP browser.  I then used the console to check the cache and have highlighted several items:

    dsa> get cache;

    get cache;

     

    Cache enabled

    cache-no-scan = FALSE

    interrupt-searches = FALSE

    dxgrid-queue = TRUE

    use-rdn-index = FALSE

    max-filter-norm-size(MB) = 100

    cache-index =

     objectClass dxDeleteTimestamp createTimestamp modifyTimestamp cn smTimeValue ou smSessionId smExpirationTime smIdleExpirationTime

    cache-reverse = (none)

    Counters: [ entries ( values search-hits) ]

     objectClass(0): 32(9 1879)

     dxDeleteTimestamp(5): 899(898 1)

     createTimestamp(6): 15(14 8)

     modifyTimestamp(7): 5(5 8)

     cn(13): 6(6 0)

     smTimeValue(19): 894(894 0)

     ou(22): 1(1 0)

     smSessionId(23): 13(13 0)

     smExpirationTime(25): 6(6 0)

     smIdleExpirationTime(26): 6(6 4)

    Number of EIDs in use 914

    Memory used by cache: 6464536 out of 6507518

      (Memory initially used by data only: 1610032)

    Memory leaked 0

     

    Number of Cache Hits 34424

    Number of Sequential Scans 0

    Free lists:

     EntryLists: 0

     Constrained values: 244

     Unconstrained values: 0

     IndexList: 0

    dxgrid-db-location = /apps/CA/Directory/dxserver/data

    dxgrid-tx-location = /apps/CA/Directory/dxserver/data

    dxgrid-backup-location = /apps/CA/Directory/dxserver/data

    dxgrid-db-size = 4000000

    Used bytes in file = 36572

    Reclaimable bytes = 130

    Total number of entries = 914

    disable-transaction-log = true

    disable-transaction-log-flush = true

     

    dsa>    

    Note there are over 34,424 cache hits, but the only attribute with a significant number of search hits is objectClass. Attributes with search hits are highlighted in green.  The items I added to get the warn log to calm down are highlighted in yellow, and there are NO cache hits for them.  smSessionId and smExpirationTime also have no search hits, even though the documentataion recommends those objects be indexed.

    HubertDennis suggested that 'search hits' are what make the cache useful.  If that's true, then I see a disconnect between the fact that the warn log fills up with messages regarding ou, cn, and smTimeValue if those attributes aren't indexed, yet they appear to get no search hits if they are indexed.  It seems to me that the code is writing messages to the log file when it can't find those attributes in cache.  Wouldn't that constitute a search?  Here are my questions:

    • Is there any performance benefit (or performance hit?) to indexing ou, cn, and smTimeValue?
    • Is the code actually searching for ou, cn, and smTimeValue but those searches and search hits are not being logged correctly?
    • Is the code incorrectly writing messages to the warn log if those attributes are not indexed?

    I'm pretty new to CA Directory and trying to understand which is worse:  lots of useless, expected messages in the warn log, or possible overhead added by 3 addtional indexes that don't get any search hits.



  • 10.  Re: CA Directory Session Store warn log full of 'not indexed' messages

    Posted Feb 10, 2018 02:25 PM

    Rich

     

    Good points.

     

    I spun my CA Directory instance back to life, so we see "0" as the last value. Hence ignore that for now.

     

    Here is a difference between a PStore, SStore, UStore. If we look at the "Counters:" they are different for PStore, SStore, UStore. Now we know for a fact, that PStore and SStore schema's are the same. However as we can see in "Counters:", there are unique counters between the instances (apart DC / OU / CN). Which is indicative of what attributes were probably searched OR are populated (in other words updated).

     

    But as you mention in your points, something does not align correctly. Also I think the examples in documentation link I pasted needs to be more aligned to actual's.

     

    e.g

    Doc : uid: 1001235 (1001235 5879)

    Actuals : uid(16): 11(11 0)

     

     

    PStoreSStoreUStore

    Cache enabled
    cache-no-scan = FALSE
    interrupt-searches = FALSE
    dxgrid-queue = TRUE
    use-rdn-index = FALSE
    max-filter-norm-size(MB) = 100
    cache-index = all-attributes
    cache-reverse = (none)
    Counters: [ entries ( values search-hits) ]
    objectClass(0): 13087(36 0)
    userPassword(2): 2(1 0)
    createTimestamp(6): 6539(4195 0)
    modifyTimestamp(7): 768(448 0)
    dc(13): 1(1 0)
    ou(14): 7(7 0)
    cn(15): 2148(745 0)
    uid(16): 2(2 0)
    sn(17): 2(2 0)
    givenName(18): 1(1 0)
    modifiersName(19): 768(2 0)
    smRootConfigOID4(20): 1(1 0)
    smEnableUserTracking4(21): 1(1 0)
    smDynamicPrefs4(22): 1(1 0)
    smMajorVersion5(23): 1(1 0)
    smMinorVersion5(24): 1(1 0)
    smMode5(25): 1(1 0)
    creatorsName(26): 6529(1 0)
    smAdminOID4(27): 2(2 0)
    smUserDirectoryOID4(28): 19(6 0)
    smSchemeOID4(29): 50(34 0)
    description(30): 359(97 0)
    smAdminPassword4(31): 2(2 0)
    smAdminDirAuth4(32): 2(1 0)
    smRights4(33): 2(2 0)
    xpsParameter(38): 1(1 0)
    xpsVendor(39): 1(1 0)
    xpsProduct(40): 1(1 0)
    xpsName(41): 1(1 0)
    xpsValue(42): 1(1 0)
    smPropertyCollectionOID5(43): 45(30 0)
    smDomainOID4(44): 141(7 0)
    smIsAffiliate4(45): 7(2 0)
    smDomainMode5(46): 7(3 0)
    smRealmOID4(47): 30(15 0)
    smResourceFilter4(48): 15(14 0)
    smAgentOID4(49): 21(10 0)
    smAgentTypeOID4(50): 244(18 0)
    smProcessAuthEvents4(51): 15(1 0)
    smProcessAzEvents4(52): 15(1 0)
    smProtectAll4(53): 15(2 0)
    smSelfRegOID4(54): 15(1 0)
    smAzUserDirOID4(55): 15(1 0)
    smMaxTimeout4(56): 15(1 0)
    smIdleTimeout4(57): 15(1 0)
    smParentRealmOID4(58): 15(7 0)
    smPersistentSessionType5(59): 15(1 0)
    smSessionDrift5(60): 15(1 0)
    smSyncAudit4(61): 15(1 0)
    xpsNumber(62): 4301(4301 0)
    xpsCategory(63): 4301(3 0)
    xpsClass(64): 4301(59 0)
    xpsGUID(65): 4301(4297 0)
    xpsSortKey(66): 4301(4301 0)
    xpsUpdateBy(67): 4301(8 0)
    xpsUpdateMethod(68): 4301(5 0)
    xpsParent(69): 4086(472 0)
    xpsProperty(70): 17059(3757 0)
    smPropertySectionOID5(71): 1787(15 0)
    smPropertyOID5(72): 1772(1772 0)
    smPropertyValue5(73): 1772(81 0)
    smpropertyflags5(74): 1772(3 0)
    smAgentTypeType4(75): 17(2 0)
    smResourceType4(76): 17(2 0)
    smAgentTypeSpecificBytes4(77): 17(2 0)
    smAgentTyperfcid4(78): 17(10 0)
    smAgentTypeActions4(79): 64(35 0)
    smSharedSecretPolicyOID6(80): 1(1 0)
    smRolloverPolicyEnabled6(81): 1(1 0)
    smRolloverChangePeriod6(82): 1(1 0)
    smRolloverChangeFrequency6(83): 1(1 0)
    smNamespace4(84): 5(2 0)
    smServer4(85): 5(4 0)
    smSearchRoot4(86): 5(3 0)
    smUserLookupStart4(87): 5(2 0)
    smUserLookupEnd4(88): 5(2 0)
    smUserName4(89): 5(2 0)
    smUserPassword4(90): 5(2 0)
    smSearchTimeout4(91): 5(2 0)
    smSearchResults4(92): 5(1 0)
    smSearchScope4(93): 5(1 0)
    smSecureConnection4(94): 5(1 0)
    smRequireCredentials4(95): 5(2 0)
    smDisabledAttr4(96): 5(2 0)
    smUniversaliDAttr4(97): 5(2 0)
    smODBCQueryOID4(98): 5(1 0)
    smGuidAttr4(99): 5(1 0)
    smblobattr4(100): 5(2 0)
    smPasswordAttribute4(101): 5(2 0)
    smEmailAddressAttr4(102): 5(1 0)
    smChallengeRespAttr4(103): 5(1 0)
    smEnableSecurityContext5(104): 5(1 0)
    smvariabletypeoid5(105): 17(11 0)
    smfilter5(106): 11(1 0)
    smSchemeLib4(107): 33(21 0)
    smSchemeSecret4(108): 33(1 0)
    smSchemeParam4(109): 33(17 0)
    smSchemeLevel4(110): 33(5 0)
    smisTemplate4(111): 33(2 0)
    smisUsedbyAdmin4(112): 33(2 0)
    smSchemeType4(113): 33(27 0)
    smAllowSaveCreds4(114): 33(1 0)
    smIsRadius4(115): 33(2 0)
    smIgnorePwCheck4(116): 33(2 0)
    smImsEnvironmentOIDs5(117): 5(1 0)
    smDomainUDs4(118): 7(5 0)
    smDomainAdminOIDs4(119): 5(1 0)
    smAgentTypeAttrOID4(120): 215(180 0)
    smDataType4(121): 180(4 0)
    smRadiusType4(122): 180(3 0)
    smAgentTypeAttriD4(123): 180(150 0)
    smAccessRequest4(124): 180(4 0)
    smAccessAccept4(125): 187(3 0)
    smAccessReject4(126): 187(3 0)
    smAccessChallenge4(127): 187(3 0)
    smAccountingRequest4(128): 180(4 0)
    smAccountingResponse4(129): 180(2 0)
    smAttrValues4(130): 319(171 0)
    smAgentGroupOID4(131): 3(3 0)
    smRuleOID4(132): 29(15 0)
    smAllowAccess4(133): 31(2 0)
    smRegularExpression4(134): 15(1 0)
    smTime4(135): 31(1 0)
    smAction4(136): 15(3 0)
    smResource4(137): 15(7 0)
    smIsEnabled4(138): 32(2 0)
    smActiveExprOID5(139): 80(15 0)
    smvariableoid5(140): 6(6 0)
    smDefinition5(141): 6(6 0)
    smreturntype5(142): 6(1 0)
    smPreFetchFlag5(143): 6(1 0)
    smMetaData5(144): 6(1 0)
    smPolicyOID4(145): 41(16 0)
    smIPAddress4(146): 20(3 0)
    smusractiveexproid5(147): 16(1 0)
    smPolicyLinkOID4(148): 14(14 0)
    smResponseOID4(149): 56(8 0)
    smusesvariables5(150): 14(2 0)
    smexpr5(151): 14(8 0)
    smVariableOIDs5(152): 12(6 0)
    smUserPolicyOID4(153): 11(11 0)
    smFilterPath4(154): 11(2 0)
    smFilterClass4(155): 11(2 0)
    smPolicyResolution4(156): 11(2 0)
    smPolicyFlags4(157): 11(1 0)
    smResponseAttrOID4(158): 35(35 0)
    smValue4(159): 35(35 0)
    smTTL4(160): 35(1 0)
    smFlags4(161): 36(1 0)
    smNestedVariableOIDs5(162): 6(1 0)
    smAGAgents4(163): 4(3 0)
    smKeyManagementOID4(164): 1(1 0)
    smChangeFreq4(165): 1(1 0)
    smChangeValue4(166): 1(1 0)
    smNewKeySetTime4(167): 1(1 0)
    smOldKeySetTime4(168): 1(1 0)
    smFireHour4(169): 1(1 0)
    smPersistentKey4(170): 1(1 0)
    smAgentKeyOID4(171): 4(4 0)
    smKeyMarker4(172): 4(4 0)
    smKey4(173): 4(1 0)
    smTrustedHostOID5(174): 4(4 0)
    smSharedSecret4(175): 4(4 0)
    smIs4xTrustedHost5(176): 4(2 0)
    smSecretRolloverEnabled6(177): 4(1 0)
    smSecretGenTime6(178): 4(1 0)
    smSecretUsedTime6(179): 4(1 0)
    smSecretPreviousSecret6(180): 4(1 0)
    xpsTombstone(181): 49(8 0)
    smRealmHintiD4(182): 6(1 0)
    smResponseGroupOID4(183): 1(1 0)
    smRGResponses4(184): 1(1 0)
    smcertmapOID4(186): 1(1 0)
    smIssuerDN4(187): 1(1 0)
    smmaptoldap4(188): 1(1 0)
    smldapcadn4(189): 1(1 0)
    smdirtype4(190): 1(1 0)
    Number of EIDs in use 6538
    Memory used by cache: 52413456 out of 54528268
    (Memory initially used by data only: 5094970)
    Memory leaked 0

    Number of Cache Hits 0
    Number of Sequential Scans 0
    Free lists:
    EntryLists: 0
    Constrained values: 0
    Unconstrained values: 0
    IndexList: 0
    dxgrid-db-location = /cadir_HomeDir/programfiles/CA/Directory/dxserver/data
    dxgrid-tx-location = .
    dxgrid-backup-location = .
    dxgrid-db-size = 500000000
    Used bytes in file = 2472902
    Reclaimable bytes = 26432
    Total number of entries = 6538
    disable-transaction-log = false
    disable-transaction-log-flush = false

    Cache enabled
    cache-no-scan = FALSE
    interrupt-searches = FALSE
    dxgrid-queue = TRUE
    use-rdn-index = FALSE
    max-filter-norm-size(MB) = 100
    cache-index = all-attributes
    cache-reverse = (none)
    Counters: [ entries ( values search-hits) ]
    objectClass(0): 22(9 0)
    userPassword(2): 3(3 0)
    createTimestamp(6): 11(9 0)
    modifyTimestamp(7): 2(2 0)
    dc(13): 1(1 0)
    ou(14): 3(3 0)
    cn(15): 5(5 0)
    uid(16): 3(3 0)
    sn(17): 3(3 0)
    givenName(18): 2(2 0)
    creatorsName(19): 5(1 0)
    smLastmClose(20): 1(1 0)
    smVersion(21): 1(1 0)
    smTimeValue(22): 2(2 0)
    smServerId(23): 2(1 0)
    modifiersName(24): 2(1 0)
    displayName(25): 1(1 0)
    Number of EIDs in use 10
    Memory used by cache: 6095704 out of 6128072
    (Memory initially used by data only: 1610032)
    Memory leaked 0

    Number of Cache Hits 0
    Number of Sequential Scans 0
    Free lists:
    EntryLists: 0
    Constrained values: 0
    Unconstrained values: 0
    IndexList: 0
    dxgrid-db-location = /cadir_HomeDir/programfiles/CA/Directory/dxserver/data
    dxgrid-tx-location = .
    dxgrid-backup-location = .
    dxgrid-db-size = 500000000
    Used bytes in file = 1854
    Reclaimable bytes = 164
    Total number of entries = 10
    disable-transaction-log = false
    disable-transaction-log-flush = false

    Cache enabled
    cache-no-scan = FALSE
    interrupt-searches = FALSE
    dxgrid-queue = TRUE
    use-rdn-index = FALSE
    max-filter-norm-size(MB) = 100
    cache-index = all-attributes
    cache-reverse = (none)
    Counters: [ entries ( values search-hits) ]
    objectClass(0): 27(5 0)
    userPassword(2): 11(11 0)
    createTimestamp(6): 19(12 0)
    modifyTimestamp(7): 4(4 0)
    dc(13): 1(1 0)
    ou(14): 4(4 0)
    cn(15): 14(14 0)
    uid(16): 11(11 0)
    sn(17): 11(11 0)
    givenName(18): 11(11 0)
    mail(19): 11(11 0)
    displayName(20): 11(11 0)
    creatorsName(21): 4(1 0)
    modifiersName(22): 3(1 0)
    member(23): 3(3 0)
    Number of EIDs in use 18
    Memory used by cache: 5571880 out of 5601832
    (Memory initially used by data only: 1610032)
    Memory leaked 0

    Number of Cache Hits 0
    Number of Sequential Scans 0
    Free lists:
    EntryLists: 0
    Constrained values: 0
    Unconstrained values: 0
    IndexList: 0
    dxgrid-db-location = /cadir_HomeDir/programfiles/CA/Directory/dxserver/data
    dxgrid-tx-location = .
    dxgrid-backup-location = .
    dxgrid-db-size = 500000000
    Used bytes in file = 3852
    Reclaimable bytes = 0
    Total number of entries = 18
    disable-transaction-log = false
    disable-transaction-log-flush = false



  • 11.  Re: CA Directory Session Store warn log full of 'not indexed' messages

    Posted Feb 12, 2018 09:05 PM

    Hi Guys,

     

    RDN warnings are a little different to search filtering issues so this would be the cause of the disconnect.

     

    When the DSA receives a request containing an DN, the DSA will navigate to that level of the directory information tree each RDN at a time. This will occur for any request to locate the entry.

     

    During navigation, the DSA will use:

    1. RDN index if "set use-rdn-index = true;"
    2. if 1 not set, the normal index (cache-index = <attr>)
    3. if 1 and 2 not set, scan values at a particular level in the directory information tree (display RDN warning)

     

    For example, a modify of DN "uid=justin,ou=ca,c=au" will start at the prefix <c au> then look up <ou ca>, once found will look up <uid justin>. In this example, if ou isn't indexed, the DSA just scan the entries under <c au> to find the entry.

     

    As these DN items aren't indexed, the warning is displayed. Enabling use-rdn-index will remove this warning, but I'm not sure how this would compare performance-wise to using the normal index or not indexing at all (apart from junking up the warn-log). Looking at the "get cache;" results above I wouldn't envisage and performance difference between any method given the number of values for cn, ou, smTimeValue are small.

     

    When the cache is used during navigation, the cache statistics aren't updated and therefore, are not a good measure of how these indexes have been utilized to look up entries. The "get cache;" stats are useful for checking for performance issues (when sequential scans > 0) or if attributes are used in searches and can be removed from indexing to save memory. The attribute level search hit statistic is only incremented when a search contains that attribute in a filter, e.g., a search (uid=justin) will use the index uid and therefore increment this as a hit. The global search hits are incremented for every search request regardless of if the search contains a filter or not.

     

    Summary,

    • set use-rdn-index = true; or including in indexing list will remove this warning. I can't see either option having an impact on navigation performance
    • The cache may be used by the DSA to locate entries and these statistics aren't records in "get cache;"
    • Search hits are incremented for each locally performed search
    • Attribute search hits are incremented when a local search includes a filter and that filter item is used to resolve the search request

     

    Hope that helps.

     

    Justin