<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>No problem. We forced a re installation of openldap, which helped. Pam login is still slow but sudo isn't. We'll keep chipping away at it. </div><div><br><br><div>Bret Wortman</div><div><a href="http://bretwortman.com/">http://bretwortman.com/</a></div><div><a href="http://twitter.com/BretWortman">http://twitter.com/BretWortman</a></div></div><div><br>On May 27, 2014, at 7:15 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 05/27/2014 09:44 AM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:538496C9.9080907@damascusgrp.com" type="cite">I
just checked to be sure, and we do already put all the IPA servers
in our client host tables just to be sure they can be reached even
if DNS goes down.
<br>
</blockquote>
<br>
Sorry, I am running out of ideas.<br>
<br>
<blockquote cite="mid:538496C9.9080907@damascusgrp.com" type="cite">
<br>
On 05/27/2014 09:20 AM, Dmitri Pal wrote:
<br>
<blockquote type="cite">On 05/27/2014 08:41 AM, Rob Crittenden
wrote:
<br>
<blockquote type="cite">Bret Wortman wrote:
<br>
<blockquote type="cite">Crud. That was supposed to have a
second comparison log too:
<br>
<br>
I found something in the slapd-FOO-NET/access log. I figured
out which
<br>
conn ID related to a sudo -i that I performed which took
longer than
<br>
expected and grepped for that conn ID:
<br>
<br>
[26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111
connection from
<br>
192.168.208.129 to 192.168.10.111
<br>
[26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT
<br>
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
<br>
[26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0
tag=120
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES
<br>
[26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND
<br>
dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128
version=3
<br>
[26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0
tag=97
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH
<br>
base="ou=SUDOers,dc=foo,dc=net" scope=2
filter="(cn=deraults)" attrs=ALL
<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0
tag=101
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH
<br>
base="ou=SUDOers,dc=foo,dc=net" scope=2
<br>
filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004)
<br>
(sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))"
attrs=ALL
<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0
tag=101
<br>
nentries=2 etime=0
<br>
[26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH
<br>
base="ou=SUDOers,dc=foo,dc=net" scope=2
filter="(sudoUser=+*)" attrs=ALL
<br>
[26/May/2014:09:09:01 -0400] conn=183751op=4 RESULT err=0
tag=101
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND
<br>
[26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed
= U1
<br>
<br>
I think this shows, roughly, a 7 second elapsed time from
start to
<br>
finish, right? Granted, there were other request being
serficed during
<br>
this interval as well, but nothing that looked like
outrageous volume.
<br>
</blockquote>
I don't see anything unusual here. The directory server
retrieved the
<br>
data just as fast on both systems, the difference appears to
be the
<br>
network, in connection and shutdown times.
<br>
<br>
</blockquote>
+1, however the TLS handshake took longer. That probably
required several DNS lookups so I wonder if DNS lookups might be
slowing things down.
<br>
I wonder if putting server records manually into the hosts file
would make a difference. If yes then may be you need to take a
look at your DNS setup for the slow network.
<br>
<br>
<br>
<blockquote type="cite">
<blockquote type="cite">On our faster network, this same
exchange went much faster:
<br>
<br>
[26/May/2014:09:22:55 -0400] conn=12896 fd=100 slot=100
connection from
<br>
192.168.2.13 to 192.168.2.61
<br>
[26/May/2014:09:22:55 -0400] conn=12896 op=0 EXT
<br>
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
<br>
[26/May/2014:09:22:55 -0400] conn=12896 op=0 RESULT err=0
tag=120
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:22:56 -0400] conn=12896 SSL 128-bit AES
<br>
[26/May/2014:09:22:56 -0400] conn=12896 op=1 BIND
<br>
dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me"
method=128 version=3
<br>
[26/May/2014:09:22:56 -0400] conn=12896 op=1 RESULT err=0
tag=97
<br>
nentries=0 etime=0
dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me"
<br>
[26/May/2014:09:22:56 -0400] conn=12896 op=2 SRCH
<br>
base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2
filter="(cn=defaults)"
<br>
attrs=ALL
<br>
[26/May/2014:09:22:56 -0400] conn=12896 op=2 RESULT err=0
tag=101
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:22:56 -0400] conn=12896 op=3 SRCH
<br>
base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2
<br>
filter="(|(sudoUser=bretw)(sudoUser=%bretw)(sudoUser=%#10042)(sudoUser=%admins)(sudoUser=%#388800000)(sudoUser=ALL))"
<br>
attrs=ALL
<br>
[26/May/2014:09:22:56 -0400] conn=12896 op=3 RESULT err=0
tag=101
<br>
nentries=1 etime=0
<br>
[26/May/2014:09:22:56 -0400] conn=12896 op=4 SRCH
<br>
base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2
filter="(sudoUser=+*)"
<br>
attrs=ALL
<br>
[26/May/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0
tag=101
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND
<br>
[26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed -
U1
<br>
<br>
<br>
<br>
Bret
<br>
<br>
On 05/26/2014 09:51 AM, Bret Wortman wrote:
<br>
<blockquote type="cite">Okay, I found something in the
slapd-FOO-NET/access log. I figured out
<br>
which conn ID related to a sudo -i that I performed which
took longer
<br>
than expected and grepped for that conn ID:
<br>
<br>
[26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111
connection
<br>
from 192.168.208.129 to 192.168.10.111
<br>
[26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT
<br>
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
<br>
[26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0
tag=120
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES
<br>
[26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND
<br>
dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net"
method=128 version=3
<br>
[26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0
tag=97
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH
<br>
base="ou=SUDOers,dc=foo,dc=net" scope=2
filter="(cn=deraults)" attrs=ALL
<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0
tag=101
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH
<br>
base="ou=SUDOers,dc=foo,dc=net" scope=2
<br>
filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004)
<br>
(sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))"
attrs=ALL
<br>
[26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT
erro=0 tag=101
<br>
nentries=2 etime=0
<br>
[26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH
<br>
base="ou=SUDOers,dc=foo,dc=net" scope=2
filter="(sudoUser=+*)" attrs=ALL
<br>
[26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0
tag=101
<br>
nentries=0 etime=0
<br>
[26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND
<br>
[26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111
closed = U1
<br>
</blockquote>
<br>
_______________________________________________
<br>
Freeipa-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
<br>
<br>
</blockquote>
_______________________________________________
<br>
Freeipa-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Freeipa-users mailing list</span><br><span><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a></span><br><span><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span></div></blockquote></body></html>