[Freeipa-users] Disable ldap dns lookup in freeipa?

Stamper, Brian P. (ARC-D)[Logyx LLC] brian.p.stamper at nasa.gov
Mon Jun 13 18:16:21 UTC 2011 

I've been continuing to troubleshoot this slowness in freeipa, specifically ipa-finduser which I'm told should take at most 2-3 seconds is taking 20+.  People suspected "a dns issue".  I don't really use DNS, particularly in my test environment.  However, to check this issue, I relented and added my server to dns.  The situation has not changed.  An strace of ipa-finduser admin shows the following:

open("/usr/lib64/python2.7/site-packages/ldap/filter.py", O_RDONLY) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=1441, ...}) = 0
open("/usr/lib64/python2.7/site-packages/ldap/filter.pyc", O_RDONLY) = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=1863, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f115dba3000
read(6, "\3\363\r\n/\350\352Jc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s/\0\0\0d\0"..., 4096) = 1863
fstat(6, {st_mode=S_IFREG|0644, st_size=1863, ...}) = 0
read(6, "", 4096)                       = 0
close(6)                                = 0
munmap(0x7f115dba3000, 4096)            = 0
close(5)                                = 0
close(4)                                = 0
close(3)                                = 0
stat("/usr/share/locale/en_US.UTF8/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) = -1 ENOENT (No such file or directory)
stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) = -1 ENOENT (No such file or directory)
stat("/usr/share/locale/en.UTF8/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) = -1 ENOENT (No such file or directory)
stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) = -1 ENOENT (No such file or directory)
brk(0)                                  = 0x2755000
brk(0x2776000)                          = 0x2776000
open("/etc/ipa/ipa.conf", O_RDONLY)     = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f115dba3000
read(3, "[defaults]\nserver=freeipa.arc.na"..., 4096) = 78
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f115dba3000, 4096)            = 0
open("/etc/resolv.conf", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f115dba3000
read(3, "domain arc.nasa.gov\nnameserver 1"..., 4096) = 71
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f115dba3000, 4096)            = 0

<This is the delay>

socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("143.232.252.34")}, 16) = 0
poll([{fd=3, events=POLLOUT}], 1, 0)    = 1 ([{fd=3, revents=POLLOUT}])
sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, MSG_NOSIGNAL, NULL, 0) = 41
poll([{fd=3, events=POLLIN}], 1, 5000)  = 0 (Timeout)
poll([{fd=3, events=POLLOUT}], 1, 0)    = 1 ([{fd=3, revents=POLLOUT}])
sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, MSG_NOSIGNAL, NULL, 0) = 41
poll([{fd=3, events=POLLIN}], 1, 5000)  = 0 (Timeout)
poll([{fd=3, events=POLLOUT}], 1, 0)    = 1 ([{fd=3, revents=POLLOUT}])
sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, MSG_NOSIGNAL, NULL, 0) = 41
poll([{fd=3, events=POLLIN}], 1, 5000)  = 0 (Timeout)
poll([{fd=3, events=POLLOUT}], 1, 0)    = 1 ([{fd=3, revents=POLLOUT}])
sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, MSG_NOSIGNAL, NULL, 0) = 41
poll([{fd=3, events=POLLIN}], 1, 5000)  = 0 (Timeout)
close(3)                                = 0
open("/etc/ipa/ipa.conf", O_RDONLY)     = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f115dba3000
read(3, "[defaults]\nserver=freeipa.arc.na"..., 4096) = 78
read(3, "", 4096)                       = 0
close(3)                                = 0

Doing a tcpdump of the DNS server shows the following:

11:01:18.217811 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: 0+ SRV? _ldap._tcp.arc.nasa.gov. (41)
11:01:18.235829 IP freeipa.arc.nasa.gov.35688 > ns1.arc.nasa.gov.domain: 981+ PTR? 34.252.232.143.in-addr.arpa. (45)
11:01:18.236535 IP ns1.arc.nasa.gov.domain > freeipa.arc.nasa.gov.35688: 981* 1/3/3 PTR ns1.arc.nasa.gov. (173)
11:01:28.228160 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: 0+ SRV? _ldap._tcp.arc.nasa.gov. (41)
11:01:38.237880 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: 0+ SRV? _ldap._tcp.arc.nasa.gov. (41)
11:01:48.248343 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: 0+ SRV? _ldap._tcp.arc.nasa.gov. (41)

This is a pretty serious problem.  I don't own the name servers for this domain.  I don't manage the entirety of the namespace.  I don't want SRV entries for my host.  Is there a way to disable the _srv lookup?  I found the following thread:

http://osdir.com/ml/freeipa-users/2011-04/msg00020.html

Which discusses it a little bit.  Specifying a static list of IPA servers is exactly what I want to do.  I'm using 1.2, so I'm not using sssd.

-Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110613/daf2d7e3/attachment.htm>

More information about the Freeipa-users mailing list