[Freeipa-users] LDAP/SSSD/IPA performance
Jakub Hrozek
jhrozek at redhat.com
Fri May 23 14:05:27 UTC 2014
On Fri, May 23, 2014 at 04:03:44PM +0200, Jakub Hrozek wrote:
> On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote:
> > More soft/anecdotal:
> >
> > When executing "sudo -i" or "sudo -iu" the first time, we can expect
> > a several second delay before the command completes. If we then exit
> > the session and re-execute the command, it will complete almost
> > instantly. So whatever cache is holding this information, if we
> > could increase its duration, that would certainly make our pain
> > less. Is this a settable value?
> >
> > Entering a password into a screensaver is particularly painful. 10+
> > seconds before the screensaver will exit.
> >
> > We are looking at environmental possibilities, like interfaces and
> > such. This machine is running on a VMware VM, but we've had success
> > deploying IPA on VMs in the past, and our faster network is running
> > VMs as well (with one physical box).
>
> Can you try increasing this option:
>
> pam_id_timeout (integer)
> For any PAM request while SSSD is online, the SSSD will attempt to
> immediately update the cached identity information for the user in
> order to ensure that authentication takes place with the latest
> information.
>
> A complete PAM conversation may perform multiple PAM requests, such
> as account management and session opening. This option controls (on
> a per-client-application basis) how long (in seconds) we can cache
> the identity information to avoid excessive round-trips to the
> identity provider.
>
> Default: 5
I should also have explicitly said that the option belongs to the [pam]
section.
More information about the Freeipa-users
mailing list