[Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

Rob Crittenden rcritten at redhat.com
Thu Mar 21 21:25:57 UTC 2013 

Jan-Frode Myklebust wrote:
> On Thu, Mar 21, 2013 at 03:29:38PM +0100, Jakub Hrozek wrote:
>>
>> I see several failures related to the SELinux processing:
>> -----------
>> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
>> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success]
>> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][example.net]
>> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][example.net]
>> -----------
>>
>> "4" is an internal error code, it would manifest in your /var/log/secure
>> as "System Error".
>
> No system errors are logged to /var/log/secure:
>
> 	Mar 21 11:30:01 ipa1 CROND[1161]: pam_unix(crond:session): session closed for user root
> 	Mar 21 11:33:27 ipa1 sshd[1204]: pam_access(sshd:account): access denied for user `janfrode' from `login2.example.net'
> 	Mar 21 11:33:33 ipa1 sshd[1216]: pam_unix(sshd:session): session opened for user janfrode by (uid=0)
> 	Mar 21 11:33:39 ipa1 su: pam_unix(su-l:session): session opened for user root by janfrode(uid=15019)
>
>> What state is SELinux on the client machine? Are there any AVC denials?
>
> Selinux is in enforcing mode. No denials logged.
>
> When upgrading to v2.2, and also when initializing a v2.2 replica we got
> the following error:
>
> 	Applying LDAP updates
> 	ipa         : ERROR    Update failed: Object class violation: attribute "ipaSELinuxUserMapOrder" not allowed
>
> so I suspect there are some problem with our LDAP schema. That might be
> related to the "No SELinux user maps found" message.. I have a support
> ticket open on this ipaSELinuxUserMapOrder-schema problem (00800931),
> but not much progress there yet..

Upgrading to 2.2 from what version?

If there are no maps it may just mean that there are no maps, which is 
fine. SELinux user maps didn't work well in 6.3 anyway.

You might try: ipa-ldap-updater --ldapi 
/usr/share/ipa/updates/10-selinuxusermap.update

rob

More information about the Freeipa-users mailing list