[Freeipa-users] LDAP/SSSD/IPA performance

Bret Wortman bret.wortman at damascusgrp.com
Fri May 23 14:03:59 UTC 2014 

On 05/23/2014 09:53 AM, Mauricio Tavares wrote:
>
>
>
> On Fri, May 23, 2014 at 9:48 AM, Bret Wortman 
> <bret.wortman at damascusgrp.com <mailto:bret.wortman at damascusgrp.com>> 
> wrote:
>
>     More soft/anecdotal:
>
>     When executing "sudo -i" or "sudo -iu" the first time, we can
>     expect a several second delay before the command completes. If we
>     then exit the session and re-execute the command, it will complete
>     almost instantly. So whatever cache is holding this information,
>     if we could increase its duration, that would certainly make our
>     pain less. Is this a settable value?
>
>     Entering a password into a screensaver is particularly painful.
>     10+ seconds before the screensaver will exit.
>
>     We are looking at environmental possibilities, like interfaces and
>     such. This machine is running on a VMware VM, but we've had
>     success deploying IPA on VMs in the past, and our faster network
>     is running VMs as well (with one physical box).
>
>
>     Bret
>
>       Did running sudo in debugging mode (SUDOERS_DEBUG  2 in 
> ldap.conf) give you any more clues?
>
>
No. I compared the output on both networks and there's no real 
difference once I accounted for HBAC on one (which produced 2 entries on 
the slower network that got filtered down to 1 user match and 1 host 
match). But the debug output was nearly identical.

>
>     On 05/23/2014 08:15 AM, Bret Wortman wrote:
>>     Collecting my various threads together under one big issue and
>>     adding this new data point:
>>
>>     Our web UI on our slow network is exhibiting some strange
>>     behavior as well.
>>
>>     When selecting, for example, the "Users", it can take up to 5
>>     seconds to fetch 20 out of our 56 entries.
>>
>>     When switching to "Hosts", it took 4 seconds for the footer to
>>     show that there would be 47 pages in total, then after 10 seconds
>>     total, the page loaded 20 of 939 entries. When I select a host,
>>     the previously-selected host will actually be displayed for
>>     upwards of 8-10 seconds (while the spinning cursor spins near the
>>     word Logout) until the host actually loads.
>>
>>     Is it just me, or does this, plus everything else, start to sound
>>     like LDAP is struggling?
>>
>>     I ran a test using ldapsearch in authenticated and
>>     unauthenticated mode from my workstation and here's what I found,
>>     which may tell us nothing:
>>
>>     # time ldapsearch -x -H -ldap://zsipa.foo.net
>>     <http://zsipa.foo.net>
>>     base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
>>     :
>>     real    0m2.047s
>>     user   0m0.000s
>>     sys     0m0.001s
>>     # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net
>>     base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
>>     :
>>     real    0m2.816s
>>     user   0m0.004s
>>     sys     0m0.002s
>>
>>     When I did this locally on the ipa master:
>>
>>     # ssh zsipa.foo.net <http://zsipa.foo.net>
>>     # time ldapsearch -Y GSSAPI
>>     base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net"
>>     :
>>     real    0m0.847s
>>     user   0m0.007s
>>     sys     0m0.006s
>>     #
>>
>>
>>     -- 
>>     *Bret Wortman*
>>
>>     http://damascusgrp.com/
>>     http://about.me/wortmanbret
>>
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140523/578d064f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 28526 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140523/578d064f/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140523/578d064f/attachment.p7s>

More information about the Freeipa-users mailing list