[Freeipa-users] Difficulty installing freeipa
Rob Crittenden
rcritten at redhat.com
Wed Jun 8 14:25:21 UTC 2011
Dmitri Pal wrote:
> On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
>>
>> I continue to work with performance issues. I went into the krb5.conf
>> and changed dns_lookup_kdc from true to false. Kinit now responds
>> immediately. It’s cut the time on “ipa-finduser admin” from 2m30s down
>> to 18-20s. How fast “should” this respond?
>
> It should be a matter of less than a second.
> Are you using a VM to test? Does it have enough memory?
> It is really hard to say what exactly is causing your delays.
> IPA does a lot of name resolution. Delays usually related to that. By
> turning off the name resolution against DNS in Kerberos you reduced
> number of the lookups but probably not eliminated all of them. I suggest
> you continue looking into the name resolution more.
> This is the best we can say without any logs or specific configurations.
> Sorry.
Well, not quite sub-second processing. Two kerberos authentications have
to occur and those tend to be slow, 300ms or so each, plus processing
time and such. A typical v1 command will take 1-3 seconds. It seems
sometimes that the first execution is a bit slower as a lot of python
modules need to get loaded but subsequent runs tend to speed up a bit.
18-20 is still far out of line of what I'd expect.
The logs to look at on the server are:
/var/log/dirsrv/slapd-YOURINSTANCE/access
You'd need to find the BIND for your user to get the connection number,
then trace that through to see how long the LDAP part took. This is
likley to be very fast.
/var/log/httpd/error_log
This will show the XML-RPC handling time, any errors, etc.
rob
More information about the Freeipa-users
mailing list