[Freeipa-users] LDAP/SSSD/IPA performance

Dmitri Pal dpal at redhat.com
Fri May 23 18:44:36 UTC 2014 

On 05/23/2014 10:03 AM, Bret Wortman wrote:
>
> On 05/23/2014 09:53 AM, Mauricio Tavares wrote:
>>
>>
>>
>> On Fri, May 23, 2014 at 9:48 AM, Bret Wortman 
>> <bret.wortman at damascusgrp.com <mailto:bret.wortman at damascusgrp.com>> 
>> wrote:
>>
>>     More soft/anecdotal:
>>
>>     When executing "sudo -i" or "sudo -iu" the first time, we can
>>     expect a several second delay before the command completes. If we
>>     then exit the session and re-execute the command, it will
>>     complete almost instantly. So whatever cache is holding this
>>     information, if we could increase its duration, that would
>>     certainly make our pain less. Is this a settable value?
>>
>>     Entering a password into a screensaver is particularly painful.
>>     10+ seconds before the screensaver will exit.
>>
>>     We are looking at environmental possibilities, like interfaces
>>     and such. This machine is running on a VMware VM, but we've had
>>     success deploying IPA on VMs in the past, and our faster network
>>     is running VMs as well (with one physical box).
>>
>>
>>     Bret
>>
>>       Did running sudo in debugging mode (SUDOERS_DEBUG  2 in 
>> ldap.conf) give you any more clues?
>>
>>
> No. I compared the output on both networks and there's no real 
> difference once I accounted for HBAC on one (which produced 2 entries 
> on the slower network that got filtered down to 1 user match and 1 
> host match). But the debug output was nearly identical.

Did you see any gaps in time in the logs that are different?
The flow can be the same but some operations can take longer so there 
would be hint to us on what to look for.

>
>>
>>     On 05/23/2014 08:15 AM, Bret Wortman wrote:
>>>     Collecting my various threads together under one big issue and
>>>     adding this new data point:
>>>
>>>     Our web UI on our slow network is exhibiting some strange
>>>     behavior as well.
>>>
>>>     When selecting, for example, the "Users", it can take up to 5
>>>     seconds to fetch 20 out of our 56 entries.
>>>
>>>     When switching to "Hosts", it took 4 seconds for the footer to
>>>     show that there would be 47 pages in total, then after 10
>>>     seconds total, the page loaded 20 of 939 entries. When I select
>>>     a host, the previously-selected host will actually be displayed
>>>     for upwards of 8-10 seconds (while the spinning cursor spins
>>>     near the word Logout) until the host actually loads.
>>>
>>>     Is it just me, or does this, plus everything else, start to
>>>     sound like LDAP is struggling?
>>>
>>>     I ran a test using ldapsearch in authenticated and
>>>     unauthenticated mode from my workstation and here's what I
>>>     found, which may tell us nothing:
>>>
>>>     # time ldapsearch -x -H -ldap://zsipa.foo.net
>>>     <http://zsipa.foo.net>
>>>     base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
>>>     :
>>>     real    0m2.047s
>>>     user   0m0.000s
>>>     sys     0m0.001s
>>>     # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net
>>>     base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
>>>     :
>>>     real    0m2.816s
>>>     user   0m0.004s
>>>     sys     0m0.002s
>>>
>>>     When I did this locally on the ipa master:
>>>
>>>     # ssh zsipa.foo.net <http://zsipa.foo.net>
>>>     # time ldapsearch -Y GSSAPI
>>>     base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net"
>>>     :
>>>     real    0m0.847s
>>>     user   0m0.007s
>>>     sys     0m0.006s
>>>     #
>>>
>>>
>>>     -- 
>>>     *Bret Wortman*
>>>
>>>     http://damascusgrp.com/
>>>     http://about.me/wortmanbret
>>>
>>>
>>>
>>>     _______________________________________________
>>>     Freeipa-users mailing list
>>>     Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140523/6f95d8db/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 28526 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140523/6f95d8db/attachment.png>

More information about the Freeipa-users mailing list