[Freeipa-users] LDAP/SSSD/IPA performance

Bret Wortman bret.wortman at damascusgrp.com
Mon May 26 12:26:36 UTC 2014 

Dmitri, in what logs should I expect to see something as a result of 
setting "sudoers_debug 2"? I've searched the logs on my ipa client 
that's slow, but haven't seen anything in any log file.

Or did I misunderstand?


Bret

On 05/23/2014 02:44 PM, Dmitri Pal wrote:
> On 05/23/2014 10:03 AM, Bret Wortman wrote:
>>
>> On 05/23/2014 09:53 AM, Mauricio Tavares wrote:
>>>
>>>
>>>
>>> On Fri, May 23, 2014 at 9:48 AM, Bret Wortman 
>>> <bret.wortman at damascusgrp.com <mailto:bret.wortman at damascusgrp.com>> 
>>> wrote:
>>>
>>>     More soft/anecdotal:
>>>
>>>     When executing "sudo -i" or "sudo -iu" the first time, we can
>>>     expect a several second delay before the command completes. If
>>>     we then exit the session and re-execute the command, it will
>>>     complete almost instantly. So whatever cache is holding this
>>>     information, if we could increase its duration, that would
>>>     certainly make our pain less. Is this a settable value?
>>>
>>>     Entering a password into a screensaver is particularly painful.
>>>     10+ seconds before the screensaver will exit.
>>>
>>>     We are looking at environmental possibilities, like interfaces
>>>     and such. This machine is running on a VMware VM, but we've had
>>>     success deploying IPA on VMs in the past, and our faster network
>>>     is running VMs as well (with one physical box).
>>>
>>>
>>>     Bret
>>>
>>>       Did running sudo in debugging mode (SUDOERS_DEBUG  2 in 
>>> ldap.conf) give you any more clues?
>>>
>>>
>> No. I compared the output on both networks and there's no real 
>> difference once I accounted for HBAC on one (which produced 2 entries 
>> on the slower network that got filtered down to 1 user match and 1 
>> host match). But the debug output was nearly identical.
>
> Did you see any gaps in time in the logs that are different?
> The flow can be the same but some operations can take longer so there 
> would be hint to us on what to look for.
>
>>
>>>
>>>     On 05/23/2014 08:15 AM, Bret Wortman wrote:
>>>>     Collecting my various threads together under one big issue and
>>>>     adding this new data point:
>>>>
>>>>     Our web UI on our slow network is exhibiting some strange
>>>>     behavior as well.
>>>>
>>>>     When selecting, for example, the "Users", it can take up to 5
>>>>     seconds to fetch 20 out of our 56 entries.
>>>>
>>>>     When switching to "Hosts", it took 4 seconds for the footer to
>>>>     show that there would be 47 pages in total, then after 10
>>>>     seconds total, the page loaded 20 of 939 entries. When I select
>>>>     a host, the previously-selected host will actually be displayed
>>>>     for upwards of 8-10 seconds (while the spinning cursor spins
>>>>     near the word Logout) until the host actually loads.
>>>>
>>>>     Is it just me, or does this, plus everything else, start to
>>>>     sound like LDAP is struggling?
>>>>
>>>>     I ran a test using ldapsearch in authenticated and
>>>>     unauthenticated mode from my workstation and here's what I
>>>>     found, which may tell us nothing:
>>>>
>>>>     # time ldapsearch -x -H -ldap://zsipa.foo.net
>>>>     <http://zsipa.foo.net>
>>>>     base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
>>>>     :
>>>>     real    0m2.047s
>>>>     user   0m0.000s
>>>>     sys     0m0.001s
>>>>     # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net
>>>>     base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
>>>>     :
>>>>     real    0m2.816s
>>>>     user   0m0.004s
>>>>     sys     0m0.002s
>>>>
>>>>     When I did this locally on the ipa master:
>>>>
>>>>     # ssh zsipa.foo.net <http://zsipa.foo.net>
>>>>     # time ldapsearch -Y GSSAPI
>>>>     base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net"
>>>>     :
>>>>     real    0m0.847s
>>>>     user   0m0.007s
>>>>     sys     0m0.006s
>>>>     #
>>>>
>>>>
>>>>     -- 
>>>>     *Bret Wortman*
>>>>
>>>>     http://damascusgrp.com/
>>>>     http://about.me/wortmanbret
>>>>
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Freeipa-users mailing list
>>>>     Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>     _______________________________________________
>>>     Freeipa-users mailing list
>>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140526/3a93a6e4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 28526 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140526/3a93a6e4/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140526/3a93a6e4/attachment.p7s>

More information about the Freeipa-users mailing list