[Freeipa-users] IPA Load Problems?

[Martin Kosek]

On 09/04/2013 04:02 PM, Rich Megginson wrote:
> On 09/04/2013 07:58 AM, John Moyer wrote:
>> It was our opinion that it wasn't an index issue.  I cleared the logs from
>> the IPA server, and then just ran a JIRA sync with the server.  I gave Rich
>> the log file from my IPA for that sync.  I can't find the exact conversation,
>> but we determined that JIRA was connecting to LDAP some 1000 times or so to
>> do the sync.

In parallel to our investigation in FreeIPA, I think it would be beneficial to
either check if Jira can be configured so that it does the synchronization in
one LDAP connection instead of connecting 1000 of times to do the searches.

If this is not possible, I think that a bug should be filed so that they can
fix it eventually in future versions.

> 
> Right.  For every single entry in IPA (user and group), JIRA LDAP sync does -
> connect/bind/search/unbind/disconnect.  This is horribly inefficient, but it is
> what it is, and apparently other apps work the same way (nexus?  svn?), so this
> would be a good avenue to investigate performance.
> 
>> The logs didn't show but one search done that didn't have an index which is
>> why we concluded it wasn't an index issue.
> 
> Adding indexing did help, but not much, and not nearly enough to make the
> performance acceptable.

Ok, it seems that the problem is indeed a slow LDAP bind with FreeIPA. It is
important to note that it will always be slower that simple auth LDAP Binds
with a plain LDAP instance as FreeIPA has several DS plugin hooked to the Bind
operation which provides some of the functionality.

Our current plan is to profile the bind operation and see if some of our DS
plugin does not take more time than it should. Hopefully, we will find some
suboptimal or unnecessary check which could be optimized and which would
improve the overall result.

Martin