[Freeipa-users] Slow user logon with IPA
Mateusz Malek
mmalek at iisg.agh.edu.pl
Tue Apr 21 23:02:02 UTC 2015
On 14.04.2015 at 21:30, Rich Megginson wrote:
> On 04/14/2015 12:35 PM, thierry bordaz wrote:
>>>>> On 04/10/2015 08:13 AM, Mateusz Malek wrote:
>>>>>> I'm about to migrate my OpenLDAP-based environment to FreeIPA,
>>>>>> however
>>>>>> I've hit some weird performance problems. When I'm using IPA, it
>>>>>> takes
>>>>>> about 5-7 (or even more) seconds to get shell prompt after
>>>>>> entering user
>>>>>> password (...)
>> When such long requests happened, you may take several pstack of the
>> 389-ds process. Ideally you can timestamp the pstack output so that
>> it is easier to correlate with DS access logs.
>> Providing pstacks+access/errors logs would really help to know if
>> there is a bottleneck.
>
> See also http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
>
> You'll need to do "debuginfo-install ipa-server slapi-nis"
>
I've tried looking into captured information, but I think that there's
nothing suspicious. With selinux_provider patched speed is pretty good -
FreeIPA has more to do during user logon than our existing setup had
(obtaining Kerberos ticket and processing HBAC rules is definitely more
complex than single lookup with pam_ldap/nss_ldap) and I'll probably
blame those longer LDAP search times (that happen from time to time) on
our datastore performance.
Thank you all, again.
Best regards
Mateusz Małek
More information about the Freeipa-users
mailing list