[Freeipa-users] LDAP/SSSD/IPA performance

Bret Wortman bret.wortman at damascusgrp.com
Mon May 26 13:51:31 UTC 2014 

Okay, I found something in the slapd-FOO-NET/access log. I figured out 
which conn ID related to a sudo -i that I performed which took longer 
than expected and grepped for that conn ID:

[26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection from 
192.168.208.129 to 192.168.10.111
[26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT 
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 
nentries=0 etime=0
[26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES
[26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND 
dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3
[26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 
nentries=0 etime=0
[26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH 
base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL
[26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 
nentries=0 etime=0
[26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH 
base="ou=SUDOers,dc=foo,dc=net" scope=2 
filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) 
(sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL
[26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 
nentries=2 etime=0
[26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH 
base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL
[26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 
nentries=0 etime=0
[26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND
[26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1



On 05/26/2014 08:26 AM, Bret Wortman wrote:
> Dmitri, in what logs should I expect to see something as a result of 
> setting "sudoers_debug 2"? I've searched the logs on my ipa client 
> that's slow, but haven't seen anything in any log file.
>
> Or did I misunderstand?
>
>
> Bret
>
> On 05/23/2014 02:44 PM, Dmitri Pal wrote:
>> On 05/23/2014 10:03 AM, Bret Wortman wrote:
>>>
>>> On 05/23/2014 09:53 AM, Mauricio Tavares wrote:
>>>>
>>>>
>>>>
>>>> On Fri, May 23, 2014 at 9:48 AM, Bret Wortman 
>>>> <bret.wortman at damascusgrp.com 
>>>> <mailto:bret.wortman at damascusgrp.com>> wrote:
>>>>
>>>>     More soft/anecdotal:
>>>>
>>>>     When executing "sudo -i" or "sudo -iu" the first time, we can
>>>>     expect a several second delay before the command completes. If
>>>>     we then exit the session and re-execute the command, it will
>>>>     complete almost instantly. So whatever cache is holding this
>>>>     information, if we could increase its duration, that would
>>>>     certainly make our pain less. Is this a settable value?
>>>>
>>>>     Entering a password into a screensaver is particularly painful.
>>>>     10+ seconds before the screensaver will exit.
>>>>
>>>>     We are looking at environmental possibilities, like interfaces
>>>>     and such. This machine is running on a VMware VM, but we've had
>>>>     success deploying IPA on VMs in the past, and our faster
>>>>     network is running VMs as well (with one physical box).
>>>>
>>>>
>>>>     Bret
>>>>
>>>>       Did running sudo in debugging mode (SUDOERS_DEBUG  2 in 
>>>> ldap.conf) give you any more clues?
>>>>
>>>>
>>> No. I compared the output on both networks and there's no real 
>>> difference once I accounted for HBAC on one (which produced 2 
>>> entries on the slower network that got filtered down to 1 user match 
>>> and 1 host match). But the debug output was nearly identical.
>>
>> Did you see any gaps in time in the logs that are different?
>> The flow can be the same but some operations can take longer so there 
>> would be hint to us on what to look for.
>>
>>>
>>>>
>>>>     On 05/23/2014 08:15 AM, Bret Wortman wrote:
>>>>>     Collecting my various threads together under one big issue and
>>>>>     adding this new data point:
>>>>>
>>>>>     Our web UI on our slow network is exhibiting some strange
>>>>>     behavior as well.
>>>>>
>>>>>     When selecting, for example, the "Users", it can take up to 5
>>>>>     seconds to fetch 20 out of our 56 entries.
>>>>>
>>>>>     When switching to "Hosts", it took 4 seconds for the footer to
>>>>>     show that there would be 47 pages in total, then after 10
>>>>>     seconds total, the page loaded 20 of 939 entries. When I
>>>>>     select a host, the previously-selected host will actually be
>>>>>     displayed for upwards of 8-10 seconds (while the spinning
>>>>>     cursor spins near the word Logout) until the host actually loads.
>>>>>
>>>>>     Is it just me, or does this, plus everything else, start to
>>>>>     sound like LDAP is struggling?
>>>>>
>>>>>     I ran a test using ldapsearch in authenticated and
>>>>>     unauthenticated mode from my workstation and here's what I
>>>>>     found, which may tell us nothing:
>>>>>
>>>>>     # time ldapsearch -x -H -ldap://zsipa.foo.net
>>>>>     <http://zsipa.foo.net>
>>>>>     base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
>>>>>     :
>>>>>     real    0m2.047s
>>>>>     user   0m0.000s
>>>>>     sys     0m0.001s
>>>>>     # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net
>>>>>     base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
>>>>>     :
>>>>>     real    0m2.816s
>>>>>     user   0m0.004s
>>>>>     sys     0m0.002s
>>>>>
>>>>>     When I did this locally on the ipa master:
>>>>>
>>>>>     # ssh zsipa.foo.net <http://zsipa.foo.net>
>>>>>     # time ldapsearch -Y GSSAPI
>>>>>     base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net"
>>>>>     :
>>>>>     real    0m0.847s
>>>>>     user   0m0.007s
>>>>>     sys     0m0.006s
>>>>>     #
>>>>>
>>>>>
>>>>>     -- 
>>>>>     *Bret Wortman*
>>>>>
>>>>>     http://damascusgrp.com/
>>>>>     http://about.me/wortmanbret
>>>>>
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     Freeipa-users mailing list
>>>>>     Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>>>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Freeipa-users mailing list
>>>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140526/3b717d74/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 28526 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140526/3b717d74/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140526/3b717d74/attachment.p7s>

More information about the Freeipa-users mailing list