[Freeipa-users] openldap certs?

Dmitri Pal dpal at redhat.com
Thu May 22 21:35:33 UTC 2014 

On 05/22/2014 11:16 AM, Bret Wortman wrote:
> It doesn't seem to have helped -- we're still pretty slow even with IP 
> addresses in sssd.conf.

Then we need debug logs to see where the delays are. Put high debug 
level and zip the logs somewhere we can take a look at.
Jakub is your guy.

>
> On 05/22/2014 11:07 AM, Dmitri Pal wrote:
>> On 05/22/2014 10:36 AM, Bret Wortman wrote:
>>> I found that our slower system was using FQDNs for the list of IPA 
>>> servers; our faster system was using IPs. I'm switching now, letting 
>>> Puppet distribute the update and will see if it helps.
>>>
>>
>> That means you have problems with DNS that are worth looking into.
>>
>>> By enumeration, do you mean are we spelling out our IPA servers? 
>>> Yes. We only have 3 and they look something like this:
>>
>> No. I mean the ability of sssd to download everything when enumerate 
>> = true
>> This causes a lot of traffic and overhead and a usual reason for low 
>> performance.
>> We were unfortunate to include this setting into one of the early 
>> sssd.conf examples and people have been copying it around ever since 
>> though we strongly recommend against enabling it.
>>
>>>
>>> [domain/foo.net]
>>>
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True
>>> ipa_domain = foo.net
>>> id_provider = ipa
>>> auth_provider = ipa
>>> access_provider = ipa
>>> ipa_hostname = rm266ws-a.foo.net
>>> chpass_provider = ipa
>>> ipa_dyndns_update = True
>>> ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63
>>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>> [sssd]
>>> services = nss, pam, ssh
>>> config_file_version = 2
>>>
>>> domains = foo.net
>>> [nss]
>>>
>>> [pam]
>>>
>>> [sudo]
>>>
>>> [autofs]
>>>
>>> [ssh]
>>>
>>> [pac]
>>>
>>> On the other hand, if you meant something else, then I hope the 
>>> answer's in the file. ;-)
>>>
>>>
>>> On 05/22/2014 10:15 AM, Dmitri Pal wrote:
>>>> On 05/22/2014 09:43 AM, Bret Wortman wrote:
>>>>> What we're seeing is slow GDM logins, ssh authentications, and 
>>>>> "sudo -i" responses on this network. On our other, these things 
>>>>> are all blazing fast. Here, they're on the order of 5-10 seconds. 
>>>>> And it doesn't seem to improve (much) with age or time, except 
>>>>> perhaps anecdotally. At best, a second connection might be a 
>>>>> second faster, but will revert within an hour or so.
>>>>>
>>>>
>>>> Have you compared sssd.conf from clients in these two networks?
>>>> Do you use enumeration?
>>>>
>>>> Increasing debug level and looking at the logs will help you to 
>>>> understand what part takes most time. These logs will be helpful 
>>>> for you/us to see if/what the problem is/are.
>>>>
>>>>>
>>>>> On 05/22/2014 09:36 AM, Rob Crittenden wrote:
>>>>>> Bret Wortman wrote:
>>>>>>> Where should my clients be getting the contents of 
>>>>>>> /etc/openldap/certs from?
>>>>>>>
>>>>>>> I've got one network where my IPA authentications are blazing 
>>>>>>> fast and
>>>>>>> one where they're ... not. On the slower one, clients'
>>>>>>> /etc/openldap/certs directories are either missing or empty; on the
>>>>>>> faster network, clients have certs in these directories.
>>>>>>>
>>>>>>> Is this important, and if so what could be going wrong on my slower
>>>>>>> network that might cause the certs to not get distributed or 
>>>>>>> created
>>>>>>> properly?
>>>>>> These are not the droids you are looking for...
>>>>>>
>>>>>> Can you clarify what you mean by IPA authentications? sssd should be
>>>>>> handling that, and while a first auth over a slow link might be slow
>>>>>> subsequent usage should be quite fast.
>>>>>>
>>>>>> rob
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>> -- 
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager IdM portfolio
>>>> Red Hat, Inc.
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140522/8444fa3b/attachment.htm>

More information about the Freeipa-users mailing list