<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 05/27/2014 09:44 AM, Bret Wortman wrote: </div> <blockquote cite="mid:538496C9.9080907@damascusgrp.com" type="cite">I just checked to be sure, and we do already put all the IPA servers in our client host tables just to be sure they can be reached even if DNS goes down. </blockquote> Sorry, I am running out of ideas. <blockquote cite="mid:538496C9.9080907@damascusgrp.com" type="cite"> On 05/27/2014 09:20 AM, Dmitri Pal wrote: <blockquote type="cite">On 05/27/2014 08:41 AM, Rob Crittenden wrote: <blockquote type="cite">Bret Wortman wrote: <blockquote type="cite">Crud. That was supposed to have a second comparison log too: I found something in the slapd-FOO-NET/access log. I figured out which conn ID related to a sudo -i that I performed which took longer than expected and grepped for that conn ID: [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection from 192.168.208.129 to 192.168.10.111 [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 nentries=0 etime=0 [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 nentries=2 etime=0 [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL [26/May/2014:09:09:01 -0400] conn=183751op=4 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 I think this shows, roughly, a 7 second elapsed time from start to finish, right? Granted, there were other request being serficed during this interval as well, but nothing that looked like outrageous volume. </blockquote> I don't see anything unusual here. The directory server retrieved the data just as fast on both systems, the difference appears to be the network, in connection and shutdown times. </blockquote> +1, however the TLS handshake took longer. That probably required several DNS lookups so I wonder if DNS lookups might be slowing things down. I wonder if putting server records manually into the hosts file would make a difference. If yes then may be you need to take a look at your DNS setup for the slow network. <blockquote type="cite"> <blockquote type="cite">On our faster network, this same exchange went much faster: [26/May/2014:09:22:55 -0400] conn=12896 fd=100 slot=100 connection from 192.168.2.13 to 192.168.2.61 [26/May/2014:09:22:55 -0400] conn=12896 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [26/May/2014:09:22:55 -0400] conn=12896 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [26/May/2014:09:22:56 -0400] conn=12896 SSL 128-bit AES [26/May/2014:09:22:56 -0400] conn=12896 op=1 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" method=128 version=3 [26/May/2014:09:22:56 -0400] conn=12896 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" [26/May/2014:09:22:56 -0400] conn=12896 op=2 SRCH base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(cn=defaults)" attrs=ALL [26/May/2014:09:22:56 -0400] conn=12896 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:22:56 -0400] conn=12896 op=3 SRCH base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(|(sudoUser=bretw)(sudoUser=%bretw)(sudoUser=%#10042)(sudoUser=%admins)(sudoUser=%#388800000)(sudoUser=ALL))" attrs=ALL [26/May/2014:09:22:56 -0400] conn=12896 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [26/May/2014:09:22:56 -0400] conn=12896 op=4 SRCH base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(sudoUser=+*)" attrs=ALL [26/May/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND [26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed - U1 Bret On 05/26/2014 09:51 AM, Bret Wortman wrote: <blockquote type="cite">Okay, I found something in the slapd-FOO-NET/access log. I figured out which conn ID related to a sudo -i that I performed which took longer than expected and grepped for that conn ID: [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection from 192.168.208.129 to 192.168.10.111 [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 nentries=0 etime=0 [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 nentries=2 etime=0 [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL [26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 </blockquote> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote> </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>