[Freeipa-users] Slowdowns in freeIPA 2.2.0

Dmitri Pal dpal at redhat.com
Fri Jul 13 15:51:53 UTC 2012


On 07/13/2012 11:46 AM, Loris Santamaria wrote:
> I have this test server with 8.000 entries, recently upgraded from 2.1.3
> to 2.2.0 and I'm seeing some big slowdowns and I would like to know
> where to look to debug them. The server is centos 6.3 with
> ipa-server-2.2.0-16.el6.x86_64 and 389-ds-base-1.2.10.2-20.el6_3.x86_64
>
> First of all in 2.2.0 ldapsearch with "-Y GSSAPI" is much slower than
> using plain autentication:
>
Hm. The only difference would be a new kerberos driver.
Please take a look at the KDC logs and see what is going on there.

> # time ldapsearch -x uid=bdteg01662 dn
> # extended LDIF
> #
> # LDAPv3
> # base <dc=xxx,dc=gob,dc=ve> (default) with scope subtree
> # filter: uid=bdteg01662
> # requesting: dn 
> #
>
> # bdteg01662, users, accounts, xxx.gob.ve
> dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> real	0m0.006s
> user	0m0.001s
> sys	0m0.003s
>
> # time ldapsearch -Y GSSAPI uid=bdteg01662 dn
> SASL/GSSAPI authentication started
> SASL username: admin at XXX.GOB.VE
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <dc=xxx,dc=gob,dc=ve> (default) with scope subtree
> # filter: uid=bdteg01662
> # requesting: dn 
> #
>
> # bdteg01662, users, accounts, xxx.gob.ve
> dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> real	0m2.344s
> user	0m0.007s
> sys	0m0.005s
>
> As a consequence of this all of the ipa commands run a bit slow. But the
> real slowdown is in the web interface, every search is terribly slow and
> any search that returns more than 4 or 5 entries never completes, it
> shows a dialogue that says just "Unknown error". In the dirsrv access
> logs I see that the search completes in a short time and the apache
> error log doesn't show any error whatsoever.
>
> Note this is a test system, there are no other users of this server, and
> the compat plugin is disabled.
>

IPA in 2.2 uses memcached and session caching so web UI should be faster
than in earlier versions.
I wonder if the version of the memcached is misbehaving on CentOS 6.3.
Can you please provide mode details on that front?
Look at the httpd logs. There might be something that would give you
some hints about what is going on.

>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120713/9a37904e/attachment.htm>


More information about the Freeipa-users mailing list