[Freeipa-users] Disable ldap dns lookup in freeipa?

Mon Jun 13 19:51:39 UTC 2011

Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
> I’ve been continuing to troubleshoot this slowness in freeipa,
> specifically ipa-finduser which I’m told should take at most 2-3 seconds
> is taking 20+. People suspected “a dns issue”. I don’t really use DNS,
> particularly in my test environment. However, to check this issue, I
> relented and added my server to dns. The situation has not changed. An
> strace of ipa-finduser admin shows the following:
>
> open("/usr/lib64/python2.7/site-packages/ldap/filter.py", O_RDONLY) = 5
> fstat(5, {st_mode=S_IFREG|0644, st_size=1441, ...}) = 0
> open("/usr/lib64/python2.7/site-packages/ldap/filter.pyc", O_RDONLY) = 6
> fstat(6, {st_mode=S_IFREG|0644, st_size=1863, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7f115dba3000
> read(6,
> "\3\363\r\n/\350\352Jc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s/\0\0\0d\0"...,
> 4096) = 1863
> fstat(6, {st_mode=S_IFREG|0644, st_size=1863, ...}) = 0
> read(6, "", 4096) = 0
> close(6) = 0
> munmap(0x7f115dba3000, 4096) = 0
> close(5) = 0
> close(4) = 0
> close(3) = 0
> stat("/usr/share/locale/en_US.UTF8/LC_MESSAGES/messages.mo",
> 0x7fff13cb0b10) = -1 ENOENT (No such file or directory)
> stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff13cb0b10)
> = -1 ENOENT (No such file or directory)
> stat("/usr/share/locale/en.UTF8/LC_MESSAGES/messages.mo",
> 0x7fff13cb0b10) = -1 ENOENT (No such file or directory)
> stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) =
> -1 ENOENT (No such file or directory)
> brk(0) = 0x2755000
> brk(0x2776000) = 0x2776000
> open("/etc/ipa/ipa.conf", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
> fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7f115dba3000
> read(3, "[defaults]\nserver=freeipa.arc.na"..., 4096) = 78
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0x7f115dba3000, 4096) = 0
> open("/etc/resolv.conf", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7f115dba3000
> read(3, "domain arc.nasa.gov\nnameserver 1"..., 4096) = 71
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0x7f115dba3000, 4096) = 0
>
> <This is the delay>
>
> socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3
> connect(3, {sa_family=AF_INET, sin_port=htons(53),
> sin_addr=inet_addr("143.232.252.34")}, 16) = 0
> poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
> sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41,
> MSG_NOSIGNAL, NULL, 0) = 41
> poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout)
> poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
> sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41,
> MSG_NOSIGNAL, NULL, 0) = 41
> poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout)
> poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
> sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41,
> MSG_NOSIGNAL, NULL, 0) = 41
> poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout)
> poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
> sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41,
> MSG_NOSIGNAL, NULL, 0) = 41
> poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout)
> close(3) = 0
> open("/etc/ipa/ipa.conf", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
> fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7f115dba3000
> read(3, "[defaults]\nserver=freeipa.arc.na"..., 4096) = 78
> read(3, "", 4096) = 0
> close(3) = 0
>
> Doing a tcpdump of the DNS server shows the following:
>
> 11:01:18.217811 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain:
> 0+ SRV? _ldap._tcp.arc.nasa.gov. (41)
> 11:01:18.235829 IP freeipa.arc.nasa.gov.35688 > ns1.arc.nasa.gov.domain:
> 981+ PTR? 34.252.232.143.in-addr.arpa. (45)
> 11:01:18.236535 IP ns1.arc.nasa.gov.domain > freeipa.arc.nasa.gov.35688:
> 981* 1/3/3 PTR ns1.arc.nasa.gov. (173)
> 11:01:28.228160 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain:
> 0+ SRV? _ldap._tcp.arc.nasa.gov. (41)
> 11:01:38.237880 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain:
> 0+ SRV? _ldap._tcp.arc.nasa.gov. (41)
> 11:01:48.248343 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain:
> 0+ SRV? _ldap._tcp.arc.nasa.gov. (41)
>
> This is a pretty serious problem. I don’t own the name servers for this
> domain. I don’t manage the entirety of the namespace. I don’t want SRV
> entries for my host. Is there a way to disable the _srv lookup? I found
> the following thread:
>
> http://osdir.com/ml/freeipa-users/2011-04/msg00020.html
>
> Which discusses it a little bit. Specifying a static list of IPA servers
> is exactly what I want to do. I’m using 1.2, so I’m not using sssd.
>
> -Brian

I believe you need to specify --server on the command-line to avoid the 
SRV lookup:

$ ipa-finduser --server=ipa.arc.nasa.gov admin

rob