[Freeipa-users] Slow user logon with IPA
thierry bordaz
tbordaz at redhat.com
Tue Apr 14 18:35:39 UTC 2015
On 04/14/2015 05:36 PM, Mateusz Malek wrote:
>
>
> On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote:
>> On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
>>> On 04/10/2015 08:13 AM, Mateusz Malek wrote:
>>>> I'm about to migrate my OpenLDAP-based environment to FreeIPA, however
>>>> I've hit some weird performance problems. When I'm using IPA, it takes
>>>> about 5-7 (or even more) seconds to get shell prompt after entering
>>>> user
>>>> password (...)
>>> (...)
>>> Do authentication and see where the time is spent by examining the
>>> logs.
>>> Correlate it to the logs on the server. (...)
>> I spent the better part of today fixing this issue:
>> https://fedorahosted.org/sssd/ticket/2624
>>
>> You might want to check if you're hit by this bug by setting:
>> selinux_provider=none
>> temporarily.
>
> With selinux_provider=none things seems faster.
>
> It's still not as fast as with existing OpenLDAP, but logon times seem
> acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they
> go up to 3 seconds). It seems that most time is spent in Kerberos
> authentication (logs just "stop flowing" for a while) and on HBAC
> processing - on the 389 DS side it seems that LDAP is busy with
> requests (it looks like it sometimes "hangs" on MOD operation - is it
> updating user last logon time?).
Hello,
When such long requests happened, you may take several pstack of the
389-ds process. Ideally you can timestamp the pstack output so that it
is easier to correlate with DS access logs.
Providing pstacks+access/errors logs would really help to know if there
is a bottleneck.
thanks
>
> Best regards,
> Mateusz Malek
>
More information about the Freeipa-users
mailing list