[Freeipa-users] LDAP/SSSD/IPA performance

Bret Wortman bret.wortman at damascusgrp.com
Fri May 23 14:20:44 UTC 2014 

I assumed. It obviously hasn't helped our sudo situation, but I wouldn't 
expect it to. I'll let you know how it plays against screensavers and such.

On 05/23/2014 10:05 AM, Jakub Hrozek wrote:
> On Fri, May 23, 2014 at 04:03:44PM +0200, Jakub Hrozek wrote:
>> On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote:
>>> More soft/anecdotal:
>>>
>>> When executing "sudo -i" or "sudo -iu" the first time, we can expect
>>> a several second delay before the command completes. If we then exit
>>> the session and re-execute the command, it will complete almost
>>> instantly. So whatever cache is holding this information, if we
>>> could increase its duration, that would certainly make our pain
>>> less. Is this a settable value?
>>>
>>> Entering a password into a screensaver is particularly painful. 10+
>>> seconds before the screensaver will exit.
>>>
>>> We are looking at environmental possibilities, like interfaces and
>>> such. This machine is running on a VMware VM, but we've had success
>>> deploying IPA on VMs in the past, and our faster network is running
>>> VMs as well (with one physical box).
>> Can you try increasing this option:
>>
>>         pam_id_timeout (integer)
>>             For any PAM request while SSSD is online, the SSSD will attempt to
>>             immediately update the cached identity information for the user in
>>             order to ensure that authentication takes place with the latest
>>             information.
>>
>>             A complete PAM conversation may perform multiple PAM requests, such
>>             as account management and session opening. This option controls (on
>>             a per-client-application basis) how long (in seconds) we can cache
>>             the identity information to avoid excessive round-trips to the
>>             identity provider.
>>
>>             Default: 5
> I should also have explicitly said that the option belongs to the [pam]
> section.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140523/4cb4018f/attachment.p7s>

More information about the Freeipa-users mailing list