<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 05/23/2014 09:53 AM, Mauricio
Tavares wrote:<br>
</div>
<blockquote
cite="mid:CAHEKYV5vKe5fPRZjC1+=uk-SUtWthGTu5uqJsRj7L4PU+JnWhg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, May 23, 2014 at 9:48 AM, Bret
Wortman <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bret.wortman@damascusgrp.com"
target="_blank">bret.wortman@damascusgrp.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> More
soft/anecdotal:<br>
<br>
When executing "sudo -i" or "sudo -iu" the first time,
we can expect a several second delay before the command
completes. If we then exit the session and re-execute
the command, it will complete almost instantly. So
whatever cache is holding this information, if we could
increase its duration, that would certainly make our
pain less. Is this a settable value?<br>
<br>
Entering a password into a screensaver is particularly
painful. 10+ seconds before the screensaver will exit.<br>
<br>
We are looking at environmental possibilities, like
interfaces and such. This machine is running on a VMware
VM, but we've had success deploying IPA on VMs in the
past, and our faster network is running VMs as well
(with one physical box).<br>
<br>
<br>
Bret
<div>
<div class="h5"><br>
</div>
</div>
</div>
</blockquote>
<div> Did running sudo in debugging mode
(SUDOERS_DEBUG 2 in ldap.conf) give you any more clues?<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5"> <br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
No. I compared the output on both networks and there's no real
difference once I accounted for HBAC on one (which produced 2
entries on the slower network that got filtered down to 1 user match
and 1 host match). But the debug output was nearly identical.<br>
<br>
<blockquote
cite="mid:CAHEKYV5vKe5fPRZjC1+=uk-SUtWthGTu5uqJsRj7L4PU+JnWhg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5"> <br>
<div>On 05/23/2014 08:15 AM, Bret Wortman wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5"> Collecting my various threads
together under one big issue and adding this new
data point:<br>
<br>
Our web UI on our slow network is exhibiting some
strange behavior as well.<br>
<br>
When selecting, for example, the "Users", it can
take up to 5 seconds to fetch 20 out of our 56
entries.<br>
<br>
When switching to "Hosts", it took 4 seconds for
the footer to show that there would be 47 pages in
total, then after 10 seconds total, the page
loaded 20 of 939 entries. When I select a host,
the previously-selected host will actually be
displayed for upwards of 8-10 seconds (while the
spinning cursor spins near the word Logout) until
the host actually loads.<br>
<br>
Is it just me, or does this, plus everything else,
start to sound like LDAP is struggling?<br>
<br>
I ran a test using ldapsearch in authenticated and
unauthenticated mode from my workstation and
here's what I found, which may tell us nothing:<br>
<tt><br>
</tt><tt># time ldapsearch -x -H -ldap://<a
moz-do-not-send="true"
href="http://zsipa.foo.net" target="_blank">zsipa.foo.net</a>
base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>real 0m2.047s</tt><tt><br>
</tt><tt>user 0m0.000s</tt><tt><br>
</tt><tt>sys 0m0.001s</tt><tt><br>
</tt><tt># time ldapsearch -Y GSSAPI -H <a
moz-do-not-send="true">ldap://zsipa.foo.net</a>
base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>real 0m2.816s</tt><tt><br>
</tt><tt>user 0m0.004s</tt><tt><br>
</tt><tt>sys 0m0.002s</tt><tt><br>
<br>
</tt>When I did this locally on the ipa master:<br>
<tt><br>
</tt><tt># ssh <a moz-do-not-send="true"
href="http://zsipa.foo.net" target="_blank">zsipa.foo.net</a></tt><tt><br>
</tt><tt># time ldapsearch -Y GSSAPI
base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net"</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>real 0m0.847s</tt><tt><br>
</tt><tt>user 0m0.007s</tt><tt><br>
</tt><tt>sys 0m0.006s</tt><tt><br>
</tt><tt>#</tt><tt><br>
</tt><br>
<br>
<div>-- <br>
<div><b>Bret Wortman</b></div>
<div><img
src="cid:part5.04040904.00050800@damascusgrp.com"
height="53/" width="200"><br>
</div>
<div><a moz-do-not-send="true"
href="http://damascusgrp.com/"
target="_blank">http://damascusgrp.com/</a><br>
</div>
<div><a moz-do-not-send="true"
href="http://about.me/wortmanbret"
target="_blank">http://about.me/wortmanbret</a><br>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>