Dmitri Pal wrote:
  On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:

I continue to work with performance issues. I went into the krb5.conf
and changed dns_lookup_kdc from true to false. Kinit now responds
immediately. It’s cut the time on “ipa-finduser admin” from 2m30s down
to 18-20s. How fast “should” this respond?

It should be a matter of less than a second.
Are you using a VM to test? Does it have enough memory?
It is really hard to say what exactly is causing your delays.
IPA does a lot of name resolution. Delays usually related to that. By
turning off the name resolution against DNS in Kerberos you reduced
number of the lookups but probably not eliminated all of them. I suggest
you continue looking into the name resolution more.
This is the best we can say without any logs or specific configurations.

Well, not quite sub-second processing. Two kerberos authentications have to occur and those tend to be slow, 300ms or so each, plus processing time and such. A typical v1 command will take 1-3 seconds. It seems sometimes that the first execution is a bit slower as a lot of python modules need to get loaded but subsequent runs tend to speed up a bit. 18-20 is still far out of line of what I'd expect.

The logs to look at on the server are:


You'd need to find the BIND for your user to get the connection number, then trace that through to see how long the LDAP part took. This is likley to be very fast.


This will show the XML-RPC handling time, any errors, etc.


Freeipa-users mailing list

Reply via email to