[Freeipa-users] LDAP/SSSD/IPA performance

[Jakub Hrozek]

On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote:
> More soft/anecdotal:
> 
> When executing "sudo -i" or "sudo -iu" the first time, we can expect
> a several second delay before the command completes. If we then exit
> the session and re-execute the command, it will complete almost
> instantly. So whatever cache is holding this information, if we
> could increase its duration, that would certainly make our pain
> less. Is this a settable value?
> 
> Entering a password into a screensaver is particularly painful. 10+
> seconds before the screensaver will exit.
> 
> We are looking at environmental possibilities, like interfaces and
> such. This machine is running on a VMware VM, but we've had success
> deploying IPA on VMs in the past, and our faster network is running
> VMs as well (with one physical box).

Can you try increasing this option:

       pam_id_timeout (integer)
           For any PAM request while SSSD is online, the SSSD will attempt to
           immediately update the cached identity information for the user in
           order to ensure that authentication takes place with the latest
           information.

           A complete PAM conversation may perform multiple PAM requests, such
           as account management and session opening. This option controls (on
           a per-client-application basis) how long (in seconds) we can cache
           the identity information to avoid excessive round-trips to the
           identity provider.

           Default: 5