On 05/23/2014 10:03 AM, Bret Wortman wrote:
On 05/23/2014 09:53 AM, Mauricio Tavares wrote:
On Fri, May 23, 2014 at 9:48 AM, Bret Wortman
<[email protected] <mailto:[email protected]>>
wrote:
More soft/anecdotal:
When executing "sudo -i" or "sudo -iu" the first time, we can
expect a several second delay before the command completes. If we
then exit the session and re-execute the command, it will
complete almost instantly. So whatever cache is holding this
information, if we could increase its duration, that would
certainly make our pain less. Is this a settable value?
Entering a password into a screensaver is particularly painful.
10+ seconds before the screensaver will exit.
We are looking at environmental possibilities, like interfaces
and such. This machine is running on a VMware VM, but we've had
success deploying IPA on VMs in the past, and our faster network
is running VMs as well (with one physical box).
Bret
Did running sudo in debugging mode (SUDOERS_DEBUG 2 in
ldap.conf) give you any more clues?
No. I compared the output on both networks and there's no real
difference once I accounted for HBAC on one (which produced 2 entries
on the slower network that got filtered down to 1 user match and 1
host match). But the debug output was nearly identical.
Did you see any gaps in time in the logs that are different?
The flow can be the same but some operations can take longer so there
would be hint to us on what to look for.
On 05/23/2014 08:15 AM, Bret Wortman wrote:
Collecting my various threads together under one big issue and
adding this new data point:
Our web UI on our slow network is exhibiting some strange
behavior as well.
When selecting, for example, the "Users", it can take up to 5
seconds to fetch 20 out of our 56 entries.
When switching to "Hosts", it took 4 seconds for the footer to
show that there would be 47 pages in total, then after 10
seconds total, the page loaded 20 of 939 entries. When I select
a host, the previously-selected host will actually be displayed
for upwards of 8-10 seconds (while the spinning cursor spins
near the word Logout) until the host actually loads.
Is it just me, or does this, plus everything else, start to
sound like LDAP is struggling?
I ran a test using ldapsearch in authenticated and
unauthenticated mode from my workstation and here's what I
found, which may tell us nothing:
# time ldapsearch -x -H -ldap://zsipa.foo.net
<http://zsipa.foo.net>
base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
:
real 0m2.047s
user 0m0.000s
sys 0m0.001s
# time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net
base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
:
real 0m2.816s
user 0m0.004s
sys 0m0.002s
When I did this locally on the ipa master:
# ssh zsipa.foo.net <http://zsipa.foo.net>
# time ldapsearch -Y GSSAPI
base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net"
:
real 0m0.847s
user 0m0.007s
sys 0m0.006s
#
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
_______________________________________________
Freeipa-users mailing list
[email protected] <mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected] <mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
