[Freeipa-users] Slow user logon with IPA
Mateusz Malek
mmalek at iisg.agh.edu.pl
Tue Apr 14 15:36:16 UTC 2015
On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote:
> On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
>> On 04/10/2015 08:13 AM, Mateusz Malek wrote:
>>> I'm about to migrate my OpenLDAP-based environment to FreeIPA, however
>>> I've hit some weird performance problems. When I'm using IPA, it takes
>>> about 5-7 (or even more) seconds to get shell prompt after entering user
>>> password (...)
>> (...)
>> Do authentication and see where the time is spent by examining the logs.
>> Correlate it to the logs on the server. (...)
> I spent the better part of today fixing this issue:
> https://fedorahosted.org/sssd/ticket/2624
>
> You might want to check if you're hit by this bug by setting:
> selinux_provider=none
> temporarily.
With selinux_provider=none things seems faster.
It's still not as fast as with existing OpenLDAP, but logon times seem
acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they
go up to 3 seconds). It seems that most time is spent in Kerberos
authentication (logs just "stop flowing" for a while) and on HBAC
processing - on the 389 DS side it seems that LDAP is busy with requests
(it looks like it sometimes "hangs" on MOD operation - is it updating
user last logon time?).
Best regards,
Mateusz Malek
More information about the Freeipa-users
mailing list