[Freeipa-users] openldap certs?

Bret Wortman bret.wortman at damascusgrp.com
Thu May 22 14:36:45 UTC 2014 

I found that our slower system was using FQDNs for the list of IPA 
servers; our faster system was using IPs. I'm switching now, letting 
Puppet distribute the update and will see if it helps.

By enumeration, do you mean are we spelling out our IPA servers? Yes. We 
only have 3 and they look something like this:

[domain/foo.net]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = foo.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rm266ws-a.foo.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63
ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = foo.net
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

On the other hand, if you meant something else, then I hope the answer's 
in the file. ;-)


On 05/22/2014 10:15 AM, Dmitri Pal wrote:
> On 05/22/2014 09:43 AM, Bret Wortman wrote:
>> What we're seeing is slow GDM logins, ssh authentications, and "sudo 
>> -i" responses on this network. On our other, these things are all 
>> blazing fast. Here, they're on the order of 5-10 seconds. And it 
>> doesn't seem to improve (much) with age or time, except perhaps 
>> anecdotally. At best, a second connection might be a second faster, 
>> but will revert within an hour or so.
>>
>
> Have you compared sssd.conf from clients in these two networks?
> Do you use enumeration?
>
> Increasing debug level and looking at the logs will help you to 
> understand what part takes most time. These logs will be helpful for 
> you/us to see if/what the problem is/are.
>
>>
>> On 05/22/2014 09:36 AM, Rob Crittenden wrote:
>>> Bret Wortman wrote:
>>>> Where should my clients be getting the contents of 
>>>> /etc/openldap/certs from?
>>>>
>>>> I've got one network where my IPA authentications are blazing fast and
>>>> one where they're ... not. On the slower one, clients'
>>>> /etc/openldap/certs directories are either missing or empty; on the
>>>> faster network, clients have certs in these directories.
>>>>
>>>> Is this important, and if so what could be going wrong on my slower
>>>> network that might cause the certs to not get distributed or created
>>>> properly?
>>> These are not the droids you are looking for...
>>>
>>> Can you clarify what you mean by IPA authentications? sssd should be
>>> handling that, and while a first auth over a slow link might be slow
>>> subsequent usage should be quite fast.
>>>
>>> rob
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140522/3009f1b8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140522/3009f1b8/attachment.p7s>

More information about the Freeipa-users mailing list