[Freeipa-users] openldap certs?

Dmitri Pal dpal at redhat.com
Thu May 22 21:34:30 UTC 2014 

On 05/22/2014 02:25 PM, Jakub Hrozek wrote:
> On Thu, May 22, 2014 at 11:16:57AM -0400, Bret Wortman wrote:
>> It doesn't seem to have helped -- we're still pretty slow even with
>> IP addresses in sssd.conf.
> Yes, I would expect the performance to be still slow, because when you
> perform authentication, the user information is always refreshed from
> the server, even with enumeration.

I do not think they have enumeration this is why this seems irrelevant.

>   This is to ensure correct and precise
> group membership at login time.
>
>> On 05/22/2014 11:07 AM, Dmitri Pal wrote:
>>> On 05/22/2014 10:36 AM, Bret Wortman wrote:
>>>> I found that our slower system was using FQDNs for the list of
>>>> IPA servers; our faster system was using IPs. I'm switching now,
>>>> letting Puppet distribute the update and will see if it helps.
>>>>
>>> That means you have problems with DNS that are worth looking into.
>>>
>>>> By enumeration, do you mean are we spelling out our IPA servers?
>>>> Yes. We only have 3 and they look something like this:
>>> No. I mean the ability of sssd to download everything when
>>> enumerate = true
>>> This causes a lot of traffic and overhead and a usual reason for
>>> low performance.
>>> We were unfortunate to include this setting into one of the early
>>> sssd.conf examples and people have been copying it around ever
>>> since though we strongly recommend against enabling it.
>>>
>>>> [domain/foo.net]
>>>>
>>>> cache_credentials = True
>>>> krb5_store_password_if_offline = True
>>>> ipa_domain = foo.net
>>>> id_provider = ipa
>>>> auth_provider = ipa
>>>> access_provider = ipa
>>>> ipa_hostname = rm266ws-a.foo.net
>>>> chpass_provider = ipa
>>>> ipa_dyndns_update = True
>>>> ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63
>>>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
>>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>>> [sssd]
>>>> services = nss, pam, ssh
>>>> config_file_version = 2
>>>>
>>>> domains = foo.net
>>>> [nss]
>>>>
>>>> [pam]
>>>>
>>>> [sudo]
>>>>
>>>> [autofs]
>>>>
>>>> [ssh]
>>>>
>>>> [pac]
>>>>
>>>> On the other hand, if you meant something else, then I hope the
>>>> answer's in the file. ;-)
>>>>
>>>>
>>>> On 05/22/2014 10:15 AM, Dmitri Pal wrote:
>>>>> On 05/22/2014 09:43 AM, Bret Wortman wrote:
>>>>>> What we're seeing is slow GDM logins, ssh authentications,
>>>>>> and "sudo -i" responses on this network. On our other, these
>>>>>> things are all blazing fast. Here, they're on the order of
>>>>>> 5-10 seconds. And it doesn't seem to improve (much) with age
>>>>>> or time, except perhaps anecdotally. At best, a second
>>>>>> connection might be a second faster, but will revert within
>>>>>> an hour or so.
>>>>>>
>>>>> Have you compared sssd.conf from clients in these two networks?
>>>>> Do you use enumeration?
>>>>>
>>>>> Increasing debug level and looking at the logs will help you
>>>>> to understand what part takes most time. These logs will be
>>>>> helpful for you/us to see if/what the problem is/are.
>>>>>
>>>>>> On 05/22/2014 09:36 AM, Rob Crittenden wrote:
>>>>>>> Bret Wortman wrote:
>>>>>>>> Where should my clients be getting the contents of
>>>>>>>> /etc/openldap/certs from?
>>>>>>>>
>>>>>>>> I've got one network where my IPA authentications are
>>>>>>>> blazing fast and
>>>>>>>> one where they're ... not. On the slower one, clients'
>>>>>>>> /etc/openldap/certs directories are either missing or empty; on the
>>>>>>>> faster network, clients have certs in these directories.
>>>>>>>>
>>>>>>>> Is this important, and if so what could be going wrong on my slower
>>>>>>>> network that might cause the certs to not get distributed or created
>>>>>>>> properly?
>>>>>>> These are not the droids you are looking for...
>>>>>>>
>>>>>>> Can you clarify what you mean by IPA authentications? sssd should be
>>>>>>> handling that, and while a first auth over a slow link might be slow
>>>>>>> subsequent usage should be quite fast.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>> -- 
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>>
>>>>> Sr. Engineering Manager IdM portfolio
>>>>> Red Hat, Inc.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> -- 
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list