[Freeipa-users] Slow ipa performance -- why so many ldap lookups ?
Jan-Frode Myklebust
janfrode at tanso.net
Wed Mar 20 13:04:24 UTC 2013
On Wed, Mar 20, 2013 at 10:44:10AM +0100, Jakub Hrozek wrote:
>
> This really sounds like a bug. If you encounter a situation like this,
> where a group does not show all its members, feel free to open a bug.
I have been experiencing this for quite some time, but I'm struggeling
with how to give useful bugreports. Right now I tested a ssh-login to
one of my ipa servers and failed to log in:
Mar 20 12:55:13 ipa1 sshd[16112]: pam_access(sshd:account): access denied for user `janfrode' from `login2.example.net'
then I immediatelty try again, and can successfully log in. The reason
for pam_access denying access is most likely that my groups isn't
populated on the first try, but on the second it works.
I don't seem able to re-produce this issue by stopping/clearing/starting
sssd, so I suspect it might be the connection between sssd and 389ds
that has been broken by firewalls between them maybe. We have an evil
firewall that breaks connections that's been idle for more than 30
minutes.
Are there hearbeat or keepalive settings in IPA or 389ds that we should
enable to keep connections alive ?
>
> Bottom line, if you are seeing inconsistent results with ipa backend,
> please open a bug. This is something that would need fixing right away.
Don't know if I can call it inconsistent results with ipa backend, or
just bad broken connection handling within sssd. Any hints for how I can
provide better bugreports would be appreciated..
-jf
More information about the Freeipa-users
mailing list