[Freeipa-users] LDAP/SSSD/IPA performance
Bret Wortman
bret.wortman at damascusgrp.com
Fri May 23 14:20:44 UTC 2014
I assumed. It obviously hasn't helped our sudo situation, but I wouldn't
expect it to. I'll let you know how it plays against screensavers and such.
On 05/23/2014 10:05 AM, Jakub Hrozek wrote:
> On Fri, May 23, 2014 at 04:03:44PM +0200, Jakub Hrozek wrote:
>> On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote:
>>> More soft/anecdotal:
>>>
>>> When executing "sudo -i" or "sudo -iu" the first time, we can expect
>>> a several second delay before the command completes. If we then exit
>>> the session and re-execute the command, it will complete almost
>>> instantly. So whatever cache is holding this information, if we
>>> could increase its duration, that would certainly make our pain
>>> less. Is this a settable value?
>>>
>>> Entering a password into a screensaver is particularly painful. 10+
>>> seconds before the screensaver will exit.
>>>
>>> We are looking at environmental possibilities, like interfaces and
>>> such. This machine is running on a VMware VM, but we've had success
>>> deploying IPA on VMs in the past, and our faster network is running
>>> VMs as well (with one physical box).
>> Can you try increasing this option:
>>
>> pam_id_timeout (integer)
>> For any PAM request while SSSD is online, the SSSD will attempt to
>> immediately update the cached identity information for the user in
>> order to ensure that authentication takes place with the latest
>> information.
>>
>> A complete PAM conversation may perform multiple PAM requests, such
>> as account management and session opening. This option controls (on
>> a per-client-application basis) how long (in seconds) we can cache
>> the identity information to avoid excessive round-trips to the
>> identity provider.
>>
>> Default: 5
> I should also have explicitly said that the option belongs to the [pam]
> section.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140523/4cb4018f/attachment.p7s>
More information about the Freeipa-users
mailing list