<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Okay, I found something in the slapd-FOO-NET/access log. I figured
out which conn ID related to a sudo -i that I performed which took
longer than expected and grepped for that conn ID:<br>
<br>
[26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection
from 192.168.208.129 to 192.168.10.111<br>
[26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"<br>
[26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120
nentries=0 etime=0<br>
[26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES<br>
[26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND
dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128
version=3<br>
[26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97
nentries=0 etime=0<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH
base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)"
attrs=ALL<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101
nentries=0 etime=0<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH
base="ou=SUDOers,dc=foo,dc=net" scope=2
filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004)
(sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))"
attrs=ALL<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101
nentries=2 etime=0<br>
[26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH
base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)"
attrs=ALL<br>
[26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101
nentries=0 etime=0<br>
[26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND<br>
[26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 05/26/2014 08:26 AM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:538332FC.2090907@damascusgrp.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Dmitri, in what logs should I expect to see something as a result
of setting "sudoers_debug 2"? I've searched the logs on my ipa
client that's slow, but haven't seen anything in any log file.<br>
<br>
Or did I misunderstand?<br>
<br>
<br>
Bret<br>
<br>
<div class="moz-cite-prefix">On 05/23/2014 02:44 PM, Dmitri Pal
wrote:<br>
</div>
<blockquote cite="mid:537F9714.6080407@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 05/23/2014 10:03 AM, Bret
Wortman wrote:<br>
</div>
<blockquote cite="mid:537F554F.4030108@damascusgrp.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<div class="moz-cite-prefix">On 05/23/2014 09:53 AM, Mauricio
Tavares wrote:<br>
</div>
<blockquote
cite="mid:CAHEKYV5vKe5fPRZjC1+=uk-SUtWthGTu5uqJsRj7L4PU+JnWhg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, May 23, 2014 at 9:48
AM, Bret Wortman <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bret.wortman@damascusgrp.com"
target="_blank">bret.wortman@damascusgrp.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> More
soft/anecdotal:<br>
<br>
When executing "sudo -i" or "sudo -iu" the first
time, we can expect a several second delay before
the command completes. If we then exit the session
and re-execute the command, it will complete
almost instantly. So whatever cache is holding
this information, if we could increase its
duration, that would certainly make our pain less.
Is this a settable value?<br>
<br>
Entering a password into a screensaver is
particularly painful. 10+ seconds before the
screensaver will exit.<br>
<br>
We are looking at environmental possibilities,
like interfaces and such. This machine is running
on a VMware VM, but we've had success deploying
IPA on VMs in the past, and our faster network is
running VMs as well (with one physical box).<br>
<br>
<br>
Bret
<div>
<div class="h5"><br>
</div>
</div>
</div>
</blockquote>
<div> Did running sudo in debugging mode
(SUDOERS_DEBUG 2 in ldap.conf) give you any more
clues?<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5"> <br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
No. I compared the output on both networks and there's no real
difference once I accounted for HBAC on one (which produced 2
entries on the slower network that got filtered down to 1 user
match and 1 host match). But the debug output was nearly
identical.<br>
</blockquote>
<br>
Did you see any gaps in time in the logs that are different?<br>
The flow can be the same but some operations can take longer so
there would be hint to us on what to look for.<br>
<br>
<blockquote cite="mid:537F554F.4030108@damascusgrp.com"
type="cite"> <br>
<blockquote
cite="mid:CAHEKYV5vKe5fPRZjC1+=uk-SUtWthGTu5uqJsRj7L4PU+JnWhg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5"> <br>
<div>On 05/23/2014 08:15 AM, Bret Wortman
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5"> Collecting my various threads
together under one big issue and adding this
new data point:<br>
<br>
Our web UI on our slow network is exhibiting
some strange behavior as well.<br>
<br>
When selecting, for example, the "Users", it
can take up to 5 seconds to fetch 20 out of
our 56 entries.<br>
<br>
When switching to "Hosts", it took 4 seconds
for the footer to show that there would be
47 pages in total, then after 10 seconds
total, the page loaded 20 of 939 entries.
When I select a host, the
previously-selected host will actually be
displayed for upwards of 8-10 seconds (while
the spinning cursor spins near the word
Logout) until the host actually loads.<br>
<br>
Is it just me, or does this, plus everything
else, start to sound like LDAP is
struggling?<br>
<br>
I ran a test using ldapsearch in
authenticated and unauthenticated mode from
my workstation and here's what I found,
which may tell us nothing:<br>
<tt><br>
</tt><tt># time ldapsearch -x -H -ldap://<a
moz-do-not-send="true"
href="http://zsipa.foo.net"
target="_blank">zsipa.foo.net</a>
base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>real 0m2.047s</tt><tt><br>
</tt><tt>user 0m0.000s</tt><tt><br>
</tt><tt>sys 0m0.001s</tt><tt><br>
</tt><tt># time ldapsearch -Y GSSAPI -H <a
moz-do-not-send="true">ldap://zsipa.foo.net</a>
base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>real 0m2.816s</tt><tt><br>
</tt><tt>user 0m0.004s</tt><tt><br>
</tt><tt>sys 0m0.002s</tt><tt><br>
<br>
</tt>When I did this locally on the ipa
master:<br>
<tt><br>
</tt><tt># ssh <a moz-do-not-send="true"
href="http://zsipa.foo.net"
target="_blank">zsipa.foo.net</a></tt><tt><br>
</tt><tt># time ldapsearch -Y GSSAPI
base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net"</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>real 0m0.847s</tt><tt><br>
</tt><tt>user 0m0.007s</tt><tt><br>
</tt><tt>sys 0m0.006s</tt><tt><br>
</tt><tt>#</tt><tt><br>
</tt><br>
<br>
<div>-- <br>
<div><b>Bret Wortman</b></div>
<div><img
src="cid:part5.06040009.03000301@damascusgrp.com"
height="53/" width="200"><br>
</div>
<div><a moz-do-not-send="true"
href="http://damascusgrp.com/"
target="_blank">http://damascusgrp.com/</a><br>
</div>
<div><a moz-do-not-send="true"
href="http://about.me/wortmanbret"
target="_blank">http://about.me/wortmanbret</a><br>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>