[Freeipa-users] LDAP/SSSD/IPA performance

Bret Wortman bret.wortman at damascusgrp.com
Fri May 23 13:48:00 UTC 2014 

More soft/anecdotal:

When executing "sudo -i" or "sudo -iu" the first time, we can expect a 
several second delay before the command completes. If we then exit the 
session and re-execute the command, it will complete almost instantly. 
So whatever cache is holding this information, if we could increase its 
duration, that would certainly make our pain less. Is this a settable value?

Entering a password into a screensaver is particularly painful. 10+ 
seconds before the screensaver will exit.

We are looking at environmental possibilities, like interfaces and such. 
This machine is running on a VMware VM, but we've had success deploying 
IPA on VMs in the past, and our faster network is running VMs as well 
(with one physical box).


Bret


On 05/23/2014 08:15 AM, Bret Wortman wrote:
> Collecting my various threads together under one big issue and adding 
> this new data point:
>
> Our web UI on our slow network is exhibiting some strange behavior as 
> well.
>
> When selecting, for example, the "Users", it can take up to 5 seconds 
> to fetch 20 out of our 56 entries.
>
> When switching to "Hosts", it took 4 seconds for the footer to show 
> that there would be 47 pages in total, then after 10 seconds total, 
> the page loaded 20 of 939 entries. When I select a host, the 
> previously-selected host will actually be displayed for upwards of 
> 8-10 seconds (while the spinning cursor spins near the word Logout) 
> until the host actually loads.
>
> Is it just me, or does this, plus everything else, start to sound like 
> LDAP is struggling?
>
> I ran a test using ldapsearch in authenticated and unauthenticated 
> mode from my workstation and here's what I found, which may tell us 
> nothing:
>
> # time ldapsearch -x -H -ldap://zsipa.foo.net 
> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
> :
> real    0m2.047s
> user   0m0.000s
> sys     0m0.001s
> # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net 
> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
> :
> real    0m2.816s
> user   0m0.004s
> sys     0m0.002s
>
> When I did this locally on the ipa master:
>
> # ssh zsipa.foo.net
> # time ldapsearch -Y GSSAPI 
> base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net"
> :
> real    0m0.847s
> user   0m0.007s
> sys     0m0.006s
> #
>
>
> -- 
> *Bret Wortman*
>
> http://damascusgrp.com/
> http://about.me/wortmanbret
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140523/42e1af5d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 28526 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140523/42e1af5d/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140523/42e1af5d/attachment.p7s>

More information about the Freeipa-users mailing list