<div dir="ltr"><div>I concede - FreeIPA is big and hard and I am new. Evidence would suggest that you know exactly what's going on under the hood. :)<br><br></div>Thanks everyone.<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>------<br>The most dangerous phrase in the language is, "We've always done it this way."<br><br>- Grace Hopper<br></div></div></div></div> <br><div class="gmail_quote">On 20 September 2016 at 18:10, Alexander Bokovoy <span dir="ltr"><<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Tue, 20 Sep 2016, Sumit Bose wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Tue, Sep 20, 2016 at 09:33:21AM +0300, Alexander Bokovoy wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Tue, 20 Sep 2016, Martin Babinsky wrote:<br> > On 09/20/2016 12:17 AM, Simpson Lachlan wrote:<br> > > > -----Original Message-----<br> > > ><br> > > > On 09/19/2016 03:12 AM, Lachlan Musicman wrote:<br> > > > > Hi<br> > > > ><br> > > > > Sometimes when I visit the ID Views page in the webgui, it is<br> > > > > crushingly slow, and often it times out.<br> > > > ><br> > > > > Centos 7, ipa --version<br> > > > > VERSION: 4.2.0, API_VERSION: 2.156<br> > > > ><br> > > > > Is there a reason, can I do something to fix this?<br> > > > ><br> > > ><br> > > > What kind of ID Views do you use? Do you use them to override AD users?<br> > > > Is there any useful info in '/var/log/httpd/error_log'?<br> > ><br> > > There is the single ID View Name, Default Trust View, and in that we have a number of users over riding the AD usernames and home dirs.<br> > ><br> > > The httpd error log is relatively large, tbh, but there's nothing in there that looks like an obvious reason. In fact, for an error log, there is a hell of a lot of "SUCCESS" messages? The most obvious culprit in the error log is jsonserver_session...<br> > ><br> > > Next time I see it (I only see it intermittently), I'll grab the logs and have a look.<br> > ><br> > > Cheers<br> > > L.<br> > ><br> > ><br> > ><br> > > This email (including any attachments or links) may contain<br> > > confidential and/or legally privileged information and is<br> > > intended only to be read or used by the addressee. If you<br> > > are not the intended addressee, any use, distribution,<br> > > disclosure or copying of this email is strictly<br> > > prohibited.<br> > > Confidentiality and legal privilege attached to this email<br> > > (including any attachments) are not waived or lost by<br> > > reason of its mistaken delivery to you.<br> > > If you have received this email in error, please delete it<br> > > and notify us immediately by telephone or email. Peter<br> > > MacCallum Cancer Centre provides no guarantee that this<br> > > transmission is free of virus or that it has not been<br> > > intercepted or altered and will not be liable for any delay<br> > > in its receipt.<br> > ><br> ><br> > One thing that crossed my mind is to check the connectivity to the AD<br> > domain controllers. To resolve AD user overrides, FreeIPA uses SSSD to<br> > contact AD DCs to do the username -> SID translation. If there is some<br> > problem contacting them, then there may be hangs/timeouts when resolving<br> > override anchors.<br> Internally IPA framework attempts to resolve ID override anchors. We can<br> actually optimize this code as ipaOriginalUID attribute contains<br> normalized name already, written their when the override is created and<br> never changed afterwards. This should speed up the resolution of large<br> overrides.<br> <br> Martin, can you file a ticket for that? The code in question is<br> baseidoverride.convert_anchor_<wbr>to_human_readable_form() which could<br> benefit from passing in entry_attrs and checking ipaoriginaluid there.<br> If 'ipaoriginaluid' is missing, do analysis of ipaanchoruuid like it is<br> done now.<br> </blockquote> <br> As an alternative I wonder if the WebUI can be made asynchronous in the<br> sense that it displays the raw data (the SID in this case) first and run<br> the lookups in the background and replace the SID when the name is<br> available. I've seen some Windows tools behaving this when looking up<br> large numbers of SIDs.<br> </blockquote></div></div> We have that for external group members already.<br> <br> However, in the ID overrides there is no SID as it is. The RDN of the ID<br> override is 'ipaAnchorUUID' attribute which is an encoding of a target<br> reference. We don't need to resolve it because we already have it<br> resolved in 'ipaOriginalUid' attribute -- this was done to help Schema<br> Compatibility and SASL mapping plugins which cannot resolve<br> ipaAnchorUUID value. We just need to make its use consistent across the<br> IPA framework.<div class="HOEnZb"><div class="h5"><br> <br> -- <br> / Alexander Bokovoy<br> <br> -- <br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br> </div></div></blockquote></div><br></div>