[Freeipa-users] Slow user logon with IPA
Mateusz Malek
mmalek at iisg.agh.edu.pl
Fri Apr 10 12:13:21 UTC 2015
Hi everyone!
I'm about to migrate my OpenLDAP-based environment to FreeIPA, however
I've hit some weird performance problems. When I'm using IPA, it takes
about 5-7 (or even more) seconds to get shell prompt after entering user
password (no matter whether this is local login to FreeIPA server itself
or accessing FreeIPA client machine); also, during user logon, ns-slapd
processes CPU usage seems to be high. For comparison, in our present
environment this transitiion from login to shell is instant.
Some details: we have about 1000 user accounts and 200 user groups.
We're using (mostly) CentOS 7 virtual machines as servers and Fedora 20
as user workstations. There are also some physical Ubuntu 12.04 servers
(our OpenLDAP is hosted there). Slow login occurs in all these (server)
configurations I've tried:
- FreeIPA on CentOS 7 VM, packages from "stock" repositories (version 4.1)
- FreeIPA on CentOS 7 VM, packages from mkosek/freeipa COPR
- FreeIPA on Fedora 21 Workstation physical machine, packages from
mkosek/freeipa COPR
In all cases, machines had 2GB of RAM (exclusively reserved or
physical). Virtual machines were tested on two separate VMware vSphere
clusters (running different versions of vCenter and ESXi). I have tried
using SSSD, pam_krb5 + nss_ldap, pam_ldap + nss_ldap - no luck.
I **think** that with FreeIPA 3.3 on CentOS 7, when I tested IPA some
time ago, there were no similar issues.
Any ideas what can be wrong or how to troubleshoot this?
Best regards,
Mateusz Malek
More information about the Freeipa-users
mailing list