[Freeipa-users] openldap certs?

Bret Wortman bret.wortman at damascusgrp.com
Thu May 22 15:16:57 UTC 2014 

It doesn't seem to have helped -- we're still pretty slow even with IP 
addresses in sssd.conf.

On 05/22/2014 11:07 AM, Dmitri Pal wrote:
> On 05/22/2014 10:36 AM, Bret Wortman wrote:
>> I found that our slower system was using FQDNs for the list of IPA 
>> servers; our faster system was using IPs. I'm switching now, letting 
>> Puppet distribute the update and will see if it helps.
>>
>
> That means you have problems with DNS that are worth looking into.
>
>> By enumeration, do you mean are we spelling out our IPA servers? Yes. 
>> We only have 3 and they look something like this:
>
> No. I mean the ability of sssd to download everything when enumerate = 
> true
> This causes a lot of traffic and overhead and a usual reason for low 
> performance.
> We were unfortunate to include this setting into one of the early 
> sssd.conf examples and people have been copying it around ever since 
> though we strongly recommend against enabling it.
>
>>
>> [domain/foo.net]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = foo.net
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = rm266ws-a.foo.net
>> chpass_provider = ipa
>> ipa_dyndns_update = True
>> ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63
>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> [sssd]
>> services = nss, pam, ssh
>> config_file_version = 2
>>
>> domains = foo.net
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>> On the other hand, if you meant something else, then I hope the 
>> answer's in the file. ;-)
>>
>>
>> On 05/22/2014 10:15 AM, Dmitri Pal wrote:
>>> On 05/22/2014 09:43 AM, Bret Wortman wrote:
>>>> What we're seeing is slow GDM logins, ssh authentications, and 
>>>> "sudo -i" responses on this network. On our other, these things are 
>>>> all blazing fast. Here, they're on the order of 5-10 seconds. And 
>>>> it doesn't seem to improve (much) with age or time, except perhaps 
>>>> anecdotally. At best, a second connection might be a second faster, 
>>>> but will revert within an hour or so.
>>>>
>>>
>>> Have you compared sssd.conf from clients in these two networks?
>>> Do you use enumeration?
>>>
>>> Increasing debug level and looking at the logs will help you to 
>>> understand what part takes most time. These logs will be helpful for 
>>> you/us to see if/what the problem is/are.
>>>
>>>>
>>>> On 05/22/2014 09:36 AM, Rob Crittenden wrote:
>>>>> Bret Wortman wrote:
>>>>>> Where should my clients be getting the contents of 
>>>>>> /etc/openldap/certs from?
>>>>>>
>>>>>> I've got one network where my IPA authentications are blazing 
>>>>>> fast and
>>>>>> one where they're ... not. On the slower one, clients'
>>>>>> /etc/openldap/certs directories are either missing or empty; on the
>>>>>> faster network, clients have certs in these directories.
>>>>>>
>>>>>> Is this important, and if so what could be going wrong on my slower
>>>>>> network that might cause the certs to not get distributed or created
>>>>>> properly?
>>>>> These are not the droids you are looking for...
>>>>>
>>>>> Can you clarify what you mean by IPA authentications? sssd should be
>>>>> handling that, and while a first auth over a slow link might be slow
>>>>> subsequent usage should be quite fast.
>>>>>
>>>>> rob
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> -- 
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140522/2535527f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140522/2535527f/attachment.p7s>

More information about the Freeipa-users mailing list