On 09/04/2013 04:02 PM, Rich Megginson wrote: > On 09/04/2013 07:58 AM, John Moyer wrote: >> It was our opinion that it wasn't an index issue. I cleared the logs from >> the IPA server, and then just ran a JIRA sync with the server. I gave Rich >> the log file from my IPA for that sync. I can't find the exact conversation, >> but we determined that JIRA was connecting to LDAP some 1000 times or so to >> do the sync.
In parallel to our investigation in FreeIPA, I think it would be beneficial to either check if Jira can be configured so that it does the synchronization in one LDAP connection instead of connecting 1000 of times to do the searches. If this is not possible, I think that a bug should be filed so that they can fix it eventually in future versions. > > Right. For every single entry in IPA (user and group), JIRA LDAP sync does - > connect/bind/search/unbind/disconnect. This is horribly inefficient, but it > is > what it is, and apparently other apps work the same way (nexus? svn?), so > this > would be a good avenue to investigate performance. > >> The logs didn't show but one search done that didn't have an index which is >> why we concluded it wasn't an index issue. > > Adding indexing did help, but not much, and not nearly enough to make the > performance acceptable. Ok, it seems that the problem is indeed a slow LDAP bind with FreeIPA. It is important to note that it will always be slower that simple auth LDAP Binds with a plain LDAP instance as FreeIPA has several DS plugin hooked to the Bind operation which provides some of the functionality. Our current plan is to profile the bind operation and see if some of our DS plugin does not take more time than it should. Hopefully, we will find some suboptimal or unnecessary check which could be optimized and which would improve the overall result. Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users