<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/23/2014 10:03 AM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:537F554F.4030108@damascusgrp.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<div class="moz-cite-prefix">On 05/23/2014 09:53 AM, Mauricio
Tavares wrote:<br>
</div>
<blockquote
cite="mid:CAHEKYV5vKe5fPRZjC1+=uk-SUtWthGTu5uqJsRj7L4PU+JnWhg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, May 23, 2014 at 9:48 AM,
Bret Wortman <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bret.wortman@damascusgrp.com"
target="_blank">bret.wortman@damascusgrp.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> More
soft/anecdotal:<br>
<br>
When executing "sudo -i" or "sudo -iu" the first time,
we can expect a several second delay before the
command completes. If we then exit the session and
re-execute the command, it will complete almost
instantly. So whatever cache is holding this
information, if we could increase its duration, that
would certainly make our pain less. Is this a settable
value?<br>
<br>
Entering a password into a screensaver is particularly
painful. 10+ seconds before the screensaver will exit.<br>
<br>
We are looking at environmental possibilities, like
interfaces and such. This machine is running on a
VMware VM, but we've had success deploying IPA on VMs
in the past, and our faster network is running VMs as
well (with one physical box).<br>
<br>
<br>
Bret
<div>
<div class="h5"><br>
</div>
</div>
</div>
</blockquote>
<div> Did running sudo in debugging mode
(SUDOERS_DEBUG 2 in ldap.conf) give you any more clues?<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5"> <br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
No. I compared the output on both networks and there's no real
difference once I accounted for HBAC on one (which produced 2
entries on the slower network that got filtered down to 1 user
match and 1 host match). But the debug output was nearly
identical.<br>
</blockquote>
<br>
Did you see any gaps in time in the logs that are different?<br>
The flow can be the same but some operations can take longer so
there would be hint to us on what to look for.<br>
<br>
<blockquote cite="mid:537F554F.4030108@damascusgrp.com" type="cite">
<br>
<blockquote
cite="mid:CAHEKYV5vKe5fPRZjC1+=uk-SUtWthGTu5uqJsRj7L4PU+JnWhg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5"> <br>
<div>On 05/23/2014 08:15 AM, Bret Wortman wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5"> Collecting my various threads
together under one big issue and adding this new
data point:<br>
<br>
Our web UI on our slow network is exhibiting
some strange behavior as well.<br>
<br>
When selecting, for example, the "Users", it can
take up to 5 seconds to fetch 20 out of our 56
entries.<br>
<br>
When switching to "Hosts", it took 4 seconds for
the footer to show that there would be 47 pages
in total, then after 10 seconds total, the page
loaded 20 of 939 entries. When I select a host,
the previously-selected host will actually be
displayed for upwards of 8-10 seconds (while the
spinning cursor spins near the word Logout)
until the host actually loads.<br>
<br>
Is it just me, or does this, plus everything
else, start to sound like LDAP is struggling?<br>
<br>
I ran a test using ldapsearch in authenticated
and unauthenticated mode from my workstation and
here's what I found, which may tell us nothing:<br>
<tt><br>
</tt><tt># time ldapsearch -x -H -ldap://<a
moz-do-not-send="true"
href="http://zsipa.foo.net" target="_blank">zsipa.foo.net</a>
base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>real 0m2.047s</tt><tt><br>
</tt><tt>user 0m0.000s</tt><tt><br>
</tt><tt>sys 0m0.001s</tt><tt><br>
</tt><tt># time ldapsearch -Y GSSAPI -H <a
moz-do-not-send="true">ldap://zsipa.foo.net</a>
base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>real 0m2.816s</tt><tt><br>
</tt><tt>user 0m0.004s</tt><tt><br>
</tt><tt>sys 0m0.002s</tt><tt><br>
<br>
</tt>When I did this locally on the ipa master:<br>
<tt><br>
</tt><tt># ssh <a moz-do-not-send="true"
href="http://zsipa.foo.net" target="_blank">zsipa.foo.net</a></tt><tt><br>
</tt><tt># time ldapsearch -Y GSSAPI
base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net"</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>real 0m0.847s</tt><tt><br>
</tt><tt>user 0m0.007s</tt><tt><br>
</tt><tt>sys 0m0.006s</tt><tt><br>
</tt><tt>#</tt><tt><br>
</tt><br>
<br>
<div>-- <br>
<div><b>Bret Wortman</b></div>
<div><img
src="cid:part5.08080309.08010904@redhat.com"
height="53/" width="200"><br>
</div>
<div><a moz-do-not-send="true"
href="http://damascusgrp.com/"
target="_blank">http://damascusgrp.com/</a><br>
</div>
<div><a moz-do-not-send="true"
href="http://about.me/wortmanbret"
target="_blank">http://about.me/wortmanbret</a><br>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>