[Freeipa-users] Slow user logon with IPA
Jakub Hrozek
jhrozek at redhat.com
Wed Apr 15 06:53:13 UTC 2015
On Tue, Apr 14, 2015 at 05:36:16PM +0200, Mateusz Malek wrote:
>
>
> On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote:
> >On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
> >>On 04/10/2015 08:13 AM, Mateusz Malek wrote:
> >>>I'm about to migrate my OpenLDAP-based environment to FreeIPA, however
> >>>I've hit some weird performance problems. When I'm using IPA, it takes
> >>>about 5-7 (or even more) seconds to get shell prompt after entering user
> >>>password (...)
> >>(...)
> >>Do authentication and see where the time is spent by examining the logs.
> >>Correlate it to the logs on the server. (...)
> >I spent the better part of today fixing this issue:
> > https://fedorahosted.org/sssd/ticket/2624
> >
> >You might want to check if you're hit by this bug by setting:
> > selinux_provider=none
> >temporarily.
>
> With selinux_provider=none things seems faster.
>
> It's still not as fast as with existing OpenLDAP, but logon times seem
> acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up
> to 3 seconds). It seems that most time is spent in Kerberos authentication
> (logs just "stop flowing" for a while) and on HBAC processing - on the 389
> DS side it seems that LDAP is busy with requests (it looks like it sometimes
> "hangs" on MOD operation - is it updating user last logon time?).
I pushed the selinux performance patches upstream yesterday. They will make
their way to 7.2, 6.7 and I guess Lukas might also cherry-pick them for
Fedora.
More information about the Freeipa-users
mailing list