Environment
Novell Open Enterprise Server 11 (OES11) Linux
Novell Open Enterprise Server 11 SP1 (OES11SP1) Linux
Domain Serivces for Windows
DSFW
DSFW
Situation
DSfW users are experiencing slow logins
Users are a members of 50 plus groups
A ldap trace shows the tokenGroupsDomainLocal attribute is seen over an over again for each group
Resolution
DSfW like AD has three types of groups. Domain Local, Global, and Universal. The default group type is Universal.
Slow logins can be a result of group type. Global and Universal groups calculate a virtual attribute called tokenGroupsDomainLocal. This attribute is calculated for the group by the slapi layer. When a user is a member of several groups login times can increase. An increase in ndsd utilization can also result from the calculation of the tokenGroupsDomainLocal when a large number of groups reside within the domain.
If ndsd utilization is high or login times need to be reduced, change groups to Domain Local groups to avoid the calculation of the tokenGroupsDomainLocal virtual attribute.
The grouptype attribute has been shown to cause ndsd to go into high utilization during the provisioning wizard with re-installs of DSfW. If DSfW was installed, then removed, then installed again and there are several groups and users are members of mulitple groups then ndsd can go into high utilization causing the provisioning wizard to hang. Remove the grouptypes attribute from groups and then continue the DSfW install.
MMC, iManager, or an ldif can be used to change the group type. With iManager use the other tab to change the value for the group type.
A command using ldapsearch to see all groups and their grouptype do:
LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf /usr/bin/ldapsearch -LLL -Q -Y EXTERNAL -b "$defaultnamingcontext" -s sub '(&(objectclass=group)(!(|(cn:dn:=Builtin)(cn:dn:=Configuration)(cn:dn:=Users)))(grouptype=*))' dn grouptype
If there is another container or group that should be excluded from the ldapsearch just add (ou:dn:=CONTAINER) or (cn:dn:=NAMEofGROUP) just after (!(| and before (cn:dn:=Builtin).
The value for a Domain Local group type is -2147483644
See TID 7004405 for more information on Group Types.
Additional Information
Looking to change several groups grouptypes? Try the following script. You can run it once, press cntl-c to stop the modifications from taking place and look at each group to make sure you want it to be changed to domainlocal. If all groups need to be changed then run the script again to completion. Otherwise make modifications to the /tmp/replace_grouptype.ldif and run /usr/bin/ldapadd -Y EXTERNAL -f/tmp/replace_grouptype.ldif
#!/bin/bash
####################################################################################################################
# Novell Inc.
# 1800 South Novell Place
# Provo, UT 84606-6194
# Script Name: replace_grouptype_domainlocal.sh
# Description: This will generate an ldif to change the grouptype to local for all group with in the DSfW domain except groups in cn=Users, cn=Configuration, and cn=Builtin.
#
# %Version: 1.0
# %Creating Date: Fri Dec 14 07:37:02 MST 2021
# %Created by: Rance Burker - Novell Technical Services
####################################################################################################################
defaultnamingcontext=`/usr/bin/ldapsearch -x -b "" -s base defaultnamingcontext | grep -i 'defaultnamingcontext: ' | awk '{print $2}'`
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
/usr/bin/ldapsearch -LLL -Q -Y EXTERNAL -b "$defaultnamingcontext" -s sub '(&(objectclass=group)(!(|(cn:dn:=Builtin)(cn:dn:=Configuration)(cn:dn:=Users)))(grouptype=*))' dn | grep -v ^# | sed -e :a -e '$!N;s/\n //;ta' -e 'P;D'|sed -e'/^dn/ a\changetype: modify\nreplace: grouptype\ngrouptype: -2147483644' >/tmp/replace_grouptype.ldif
echo ""
cat /tmp/replace_grouptype.ldif
echo -e "The ldif is located at /tmp/replace_grouptype.ldif"
echo -e "You have 30 seconds to abort the script (cntrl-c) before grouptypes are chagned to '-2147483644' ..."
sleep 30
echo -e "Replacing grouptypes with '-2147483644' ....."
/usr/bin/ldapadd -Y EXTERNAL -f /tmp/replace_grouptype.ldif
rm /tmp/replace_grouptype.ldif
exit 0