[Freeipa-users] Slow user logon with IPA

Tue Apr 14 19:30:38 UTC 2015

On 04/14/2015 12:35 PM, thierry bordaz wrote:
> On 04/14/2015 05:36 PM, Mateusz Malek wrote:
>>
>>
>> On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote:
>>> On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
>>>> On 04/10/2015 08:13 AM, Mateusz Malek wrote:
>>>>> I'm about to migrate my OpenLDAP-based environment to FreeIPA, 
>>>>> however
>>>>> I've hit some weird performance problems. When I'm using IPA, it 
>>>>> takes
>>>>> about 5-7 (or even more) seconds to get shell prompt after 
>>>>> entering user
>>>>> password (...)
>>>> (...)
>>>> Do authentication and see where the time is spent by examining the 
>>>> logs.
>>>> Correlate it to the logs on the server. (...)
>>> I spent the better part of today fixing this issue:
>>>      https://fedorahosted.org/sssd/ticket/2624
>>>
>>> You might want to check if you're hit by this bug by setting:
>>>      selinux_provider=none
>>> temporarily.
>>
>> With selinux_provider=none things seems faster.
>>
>> It's still not as fast as with existing OpenLDAP, but logon times 
>> seem acceptable now (they mostly vary from 0.5 to 2 seconds, 
>> sometimes they go up to 3 seconds). It seems that most time is spent 
>> in Kerberos authentication (logs just "stop flowing" for a while) and 
>> on HBAC processing - on the 389 DS side it seems that LDAP is busy 
>> with requests (it looks like it sometimes "hangs" on MOD operation - 
>> is it updating user last logon time?).
>
> Hello,
>
> When such long requests happened, you may take several pstack of the 
> 389-ds process. Ideally you can timestamp the pstack output so that it 
> is easier to correlate with DS access logs.
> Providing pstacks+access/errors logs would really help to know if 
> there is a bottleneck.

See also http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs

You'll need to do "debuginfo-install ipa-server slapi-nis"

>
> thanks
>>
>> Best regards,
>> Mateusz Malek
>>
>