[Freeipa-users] Slow user logon with IPA

Dmitri Pal dpal at redhat.com
Fri Apr 10 16:39:20 UTC 2015 

On 04/10/2015 08:13 AM, Mateusz Malek wrote:
> Hi everyone!
>
> I'm about to migrate my OpenLDAP-based environment to FreeIPA, however 
> I've hit some weird performance problems. When I'm using IPA, it takes 
> about 5-7 (or even more) seconds to get shell prompt after entering 
> user password (no matter whether this is local login to FreeIPA server 
> itself or accessing FreeIPA client machine); also, during user logon, 
> ns-slapd processes CPU usage seems to be high. For comparison, in our 
> present environment this transitiion from login to shell is instant.
>
> Some details: we have about 1000 user accounts and 200 user groups. 
> We're using (mostly) CentOS 7 virtual machines as servers and Fedora 
> 20 as user workstations. There are also some physical Ubuntu 12.04 
> servers (our OpenLDAP is hosted there). Slow login occurs in all these 
> (server) configurations I've tried:
> - FreeIPA on CentOS 7 VM, packages from "stock" repositories (version 
> 4.1)
> - FreeIPA on CentOS 7 VM, packages from mkosek/freeipa COPR
> - FreeIPA on Fedora 21 Workstation physical machine, packages from 
> mkosek/freeipa COPR
>
> In all cases, machines had 2GB of RAM (exclusively reserved or 
> physical). Virtual machines were tested on two separate VMware vSphere 
> clusters (running different versions of vCenter and ESXi). I have 
> tried using SSSD, pam_krb5 + nss_ldap, pam_ldap + nss_ldap - no luck.
>
> I **think** that with FreeIPA 3.3 on CentOS 7, when I tested IPA some 
> time ago, there were no similar issues.
>
> Any ideas what can be wrong or how to troubleshoot this?

Make sure your time is in sync on the server and the client.
On the client (SSSD) enable verbose logging debug_level = see here 
https://jhrozek.fedorapeople.org/sssd/git/man/sss_debuglevel.8.html
Do authentication and see where the time is spent by examining the logs.
Correlate it to the logs on the server.

If stuck send the logs from SSSD, and KDC/DS on the server and sssd 
configuration to the list for us to inspect.

>
> Best regards,
> Mateusz Malek
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list