[Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

Jan-Frode Myklebust janfrode at tanso.net
Mon Apr 8 10:40:53 UTC 2013 

On Mon, Apr 08, 2013 at 12:26:43PM +0200, Jakub Hrozek wrote:
> 
> I tried a similar case locally and everything worked for me. In the
> domain log I saw:
> 
> [sssd[be[idm.lab.bos.redhat.com]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it
> 
> when I set selinux_provider=none.
> 
> What exact SSSD version is this?

sssd-1.8.0-32.el6.x86_64

> Can you paste the domain section of the sssd.conf?

	[domain/example.net]
	cache_credentials = True
	krb5_store_password_if_offline = True
	krb5_realm = EXAMPLE.NET
	ipa_domain = example.net
	id_provider = ipa
	auth_provider = ipa
	access_provider = ipa
	chpass_provider = ipa
	#ipa_server = ipa1.example.net
	ipa_server = _srv_, ipa1.example.net
	#ipa_server = ipa2.example.net, ipa1.example.net
	ldap_tls_cacert = /etc/ipa/ca.crt
	enumerate = false
	selinux_provider = none
	debug_level = 6

I know fixed the schema problem we had in 60ipaconfig.ldif. We were
missing ipaSELinuxUserMapDefault and ipaSELinuxUserMapOrder in the
ipaGuiConfig object class. But after fixing this I still see "No SELinux
user maps found!" messages..:

(Mon Apr  8 12:23:08 2013) [sssd[be[example.net]]] [dp_copy_options] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=example,dc=net
(Mon Apr  8 12:23:08 2013) [sssd[be[example.net]]] [dp_copy_options] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=example,dc=net
(Mon Apr  8 12:23:27 2013) [sssd[be[example.net]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping
(Mon Apr  8 12:23:27 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(null)][cn=selinux,dc=example,dc=net]
(Mon Apr  8 12:23:27 2013) [sssd[be[example.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=example,dc=net].
(Mon Apr  8 12:23:27 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!



Should this be the full cn=selinux,dc=example,dc=net ?

-----------------------------------------------------------
dn: cn=selinux,dc=example,dc=net
objectClass: top
objectClass: nsContainer
cn: selinux

dn: cn=usermap,cn=selinux,dc=example,dc=net
objectClass: top
objectClass: nsContainer
cn: usermap
-----------------------------------------------------------


  -jf

More information about the Freeipa-users mailing list