On 14.04.2015 at 21:30, Rich Megginson wrote:
On 04/14/2015 12:35 PM, thierry bordaz wrote:
On 04/10/2015 08:13 AM, Mateusz Malek wrote:
I'm about to migrate my OpenLDAP-based environment to FreeIPA,
however
I've hit some weird performance problems. When I'm using IPA, it
takes
about 5-7 (or even more) seconds to get shell prompt after
entering user
password (...)
When such long requests happened, you may take several pstack of the
389-ds process. Ideally you can timestamp the pstack output so that
it is easier to correlate with DS access logs.
Providing pstacks+access/errors logs would really help to know if
there is a bottleneck.
See also http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
You'll need to do "debuginfo-install ipa-server slapi-nis"
I've tried looking into captured information, but I think that there's
nothing suspicious. With selinux_provider patched speed is pretty good -
FreeIPA has more to do during user logon than our existing setup had
(obtaining Kerberos ticket and processing HBAC rules is definitely more
complex than single lookup with pam_ldap/nss_ldap) and I'll probably
blame those longer LDAP search times (that happen from time to time) on
our datastore performance.
Thank you all, again.
Best regards
Mateusz Małek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
