[Freeipa-users] openldap certs?

Jakub Hrozek jhrozek at redhat.com
Thu May 22 18:25:47 UTC 2014 

On Thu, May 22, 2014 at 11:16:57AM -0400, Bret Wortman wrote:
> It doesn't seem to have helped -- we're still pretty slow even with
> IP addresses in sssd.conf.

Yes, I would expect the performance to be still slow, because when you
perform authentication, the user information is always refreshed from
the server, even with enumeration. This is to ensure correct and precise
group membership at login time.

> 
> On 05/22/2014 11:07 AM, Dmitri Pal wrote:
> >On 05/22/2014 10:36 AM, Bret Wortman wrote:
> >>I found that our slower system was using FQDNs for the list of
> >>IPA servers; our faster system was using IPs. I'm switching now,
> >>letting Puppet distribute the update and will see if it helps.
> >>
> >
> >That means you have problems with DNS that are worth looking into.
> >
> >>By enumeration, do you mean are we spelling out our IPA servers?
> >>Yes. We only have 3 and they look something like this:
> >
> >No. I mean the ability of sssd to download everything when
> >enumerate = true
> >This causes a lot of traffic and overhead and a usual reason for
> >low performance.
> >We were unfortunate to include this setting into one of the early
> >sssd.conf examples and people have been copying it around ever
> >since though we strongly recommend against enabling it.
> >
> >>
> >>[domain/foo.net]
> >>
> >>cache_credentials = True
> >>krb5_store_password_if_offline = True
> >>ipa_domain = foo.net
> >>id_provider = ipa
> >>auth_provider = ipa
> >>access_provider = ipa
> >>ipa_hostname = rm266ws-a.foo.net
> >>chpass_provider = ipa
> >>ipa_dyndns_update = True
> >>ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63
> >>ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
> >>ldap_tls_cacert = /etc/ipa/ca.crt
> >>[sssd]
> >>services = nss, pam, ssh
> >>config_file_version = 2
> >>
> >>domains = foo.net
> >>[nss]
> >>
> >>[pam]
> >>
> >>[sudo]
> >>
> >>[autofs]
> >>
> >>[ssh]
> >>
> >>[pac]
> >>
> >>On the other hand, if you meant something else, then I hope the
> >>answer's in the file. ;-)
> >>
> >>
> >>On 05/22/2014 10:15 AM, Dmitri Pal wrote:
> >>>On 05/22/2014 09:43 AM, Bret Wortman wrote:
> >>>>What we're seeing is slow GDM logins, ssh authentications,
> >>>>and "sudo -i" responses on this network. On our other, these
> >>>>things are all blazing fast. Here, they're on the order of
> >>>>5-10 seconds. And it doesn't seem to improve (much) with age
> >>>>or time, except perhaps anecdotally. At best, a second
> >>>>connection might be a second faster, but will revert within
> >>>>an hour or so.
> >>>>
> >>>
> >>>Have you compared sssd.conf from clients in these two networks?
> >>>Do you use enumeration?
> >>>
> >>>Increasing debug level and looking at the logs will help you
> >>>to understand what part takes most time. These logs will be
> >>>helpful for you/us to see if/what the problem is/are.
> >>>
> >>>>
> >>>>On 05/22/2014 09:36 AM, Rob Crittenden wrote:
> >>>>>Bret Wortman wrote:
> >>>>>>Where should my clients be getting the contents of
> >>>>>>/etc/openldap/certs from?
> >>>>>>
> >>>>>>I've got one network where my IPA authentications are
> >>>>>>blazing fast and
> >>>>>>one where they're ... not. On the slower one, clients'
> >>>>>>/etc/openldap/certs directories are either missing or empty; on the
> >>>>>>faster network, clients have certs in these directories.
> >>>>>>
> >>>>>>Is this important, and if so what could be going wrong on my slower
> >>>>>>network that might cause the certs to not get distributed or created
> >>>>>>properly?
> >>>>>These are not the droids you are looking for...
> >>>>>
> >>>>>Can you clarify what you mean by IPA authentications? sssd should be
> >>>>>handling that, and while a first auth over a slow link might be slow
> >>>>>subsequent usage should be quite fast.
> >>>>>
> >>>>>rob
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>_______________________________________________
> >>>>Freeipa-users mailing list
> >>>>Freeipa-users at redhat.com
> >>>>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>
> >>>
> >>>-- 
> >>>Thank you,
> >>>Dmitri Pal
> >>>
> >>>Sr. Engineering Manager IdM portfolio
> >>>Red Hat, Inc.
> >>>
> >>>
> >>>_______________________________________________
> >>>Freeipa-users mailing list
> >>>Freeipa-users at redhat.com
> >>>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >>
> >>
> >>_______________________________________________
> >>Freeipa-users mailing list
> >>Freeipa-users at redhat.com
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> >-- 
> >Thank you,
> >Dmitri Pal
> >
> >Sr. Engineering Manager IdM portfolio
> >Red Hat, Inc.
> >
> >
> >_______________________________________________
> >Freeipa-users mailing list
> >Freeipa-users at redhat.com
> >https://www.redhat.com/mailman/listinfo/freeipa-users
> 



> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list