<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 09/16/2013 12:02 PM, KodaK wrote: <blockquote cite="mid:CAA9J0ZGCqwDcRMFqoru2wi1-xniLpygP57jEkfWCeg5-Vscc8g@mail.gmail.com" type="cite"> <div dir="ltr">Yet another AIX related problem: <div><br> </div> <div>The AIX LDAP client is called secldapclntd (sure, they could make it more awkward, but the budget ran out.) I'm running into the issue detailed here:</div> <div><br> </div> <div><a moz-do-not-send="true" href="http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344">http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344</a></div> <div><br> </div> <div>"<span style="color:rgb(51,51,51)">If an LDAP server fails to answer an LDAP query, </span><span style="color:rgb(51,51,51)">secldapclntd caches the </span><span style="color:rgb(51,51,51)">non-answered query negatively. This may happen if the </span><span style="color:rgb(51,51,51)">LDAP server is </span><span style="color:rgb(51,51,51)">down for example. After the LDAP server is back again </span><span style="color:rgb(51,51,51)">secldapclntd </span><span style="color:rgb(51,51,51)">will use the negative cache entry and the application </span><span style="color:rgb(51,51,51)">initiating the </span><span style="color:rgb(51,51,51)">original query will still fail until the cache entry </span><span style="color:rgb(51,51,51)">expires."</span></div> <div><br> </div> <div>IBM is working on porting the fix to our specific TL and SP levels.</div> <div><br> </div> <div>What I'm concerned with here, though, is *why* is it timing out? I don't know what the current timeout values are (AIX sucks, etc.)</div> <div><br> </div> <div>I don't see timeout issues on my Linux boxes, which leads me to believe that either the sssd timouts are longer or that sssd is just more robust when dealing with timeouts.</div> <div><br> </div> <div> I believe I'm seeing similar behavior with LDAP sudo on AIX as well, because I occasionally have to re-run sudo commands because they initially fail (and I know I'm using the right passwords.) However, sudo doesn't appear to have a cache (or it handles caching better.)</div> <div><br> </div> <div>Does anyone have any troubleshooting suggestions? Any general "speed things up" suggestions on the IPA side?</div> <div><br> </div> <div>Thanks,</div> <div><br> </div> <div>--Jason<br clear="all"> <div><br> </div> -- <br> The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> Is the server FreeIPA?<br> Can see in the server logs what is actually happening is it the server that really takes time or there is a network connectivity issue or FW is dropping packets?<br> I would really start with the server side logs.<br> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>