On 05/23/2014 10:03 AM, Bret Wortman wrote:


On 05/23/2014 09:53 AM, Mauricio Tavares wrote:



On Fri, May 23, 2014 at 9:48 AM, Bret Wortman <bret.wort...@damascusgrp.com <mailto:bret.wort...@damascusgrp.com>> wrote:

    More soft/anecdotal:

    When executing "sudo -i" or "sudo -iu" the first time, we can
    expect a several second delay before the command completes. If we
    then exit the session and re-execute the command, it will
    complete almost instantly. So whatever cache is holding this
    information, if we could increase its duration, that would
    certainly make our pain less. Is this a settable value?

    Entering a password into a screensaver is particularly painful.
    10+ seconds before the screensaver will exit.

    We are looking at environmental possibilities, like interfaces
    and such. This machine is running on a VMware VM, but we've had
    success deploying IPA on VMs in the past, and our faster network
    is running VMs as well (with one physical box).


    Bret

Did running sudo in debugging mode (SUDOERS_DEBUG 2 in ldap.conf) give you any more clues?


No. I compared the output on both networks and there's no real difference once I accounted for HBAC on one (which produced 2 entries on the slower network that got filtered down to 1 user match and 1 host match). But the debug output was nearly identical.

Did you see any gaps in time in the logs that are different?
The flow can be the same but some operations can take longer so there would be hint to us on what to look for.



    On 05/23/2014 08:15 AM, Bret Wortman wrote:
    Collecting my various threads together under one big issue and
    adding this new data point:

    Our web UI on our slow network is exhibiting some strange
    behavior as well.

    When selecting, for example, the "Users", it can take up to 5
    seconds to fetch 20 out of our 56 entries.

    When switching to "Hosts", it took 4 seconds for the footer to
    show that there would be 47 pages in total, then after 10
    seconds total, the page loaded 20 of 939 entries. When I select
    a host, the previously-selected host will actually be displayed
    for upwards of 8-10 seconds (while the spinning cursor spins
    near the word Logout) until the host actually loads.

    Is it just me, or does this, plus everything else, start to
    sound like LDAP is struggling?

    I ran a test using ldapsearch in authenticated and
    unauthenticated mode from my workstation and here's what I
    found, which may tell us nothing:

    # time ldapsearch -x -H -ldap://zsipa.foo.net
    <http://zsipa.foo.net>
    base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
    :
    real    0m2.047s
    user   0m0.000s
    sys     0m0.001s
    # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net
    base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net"
    :
    real    0m2.816s
    user   0m0.004s
    sys     0m0.002s

    When I did this locally on the ipa master:

    # ssh zsipa.foo.net <http://zsipa.foo.net>
    # time ldapsearch -Y GSSAPI
    base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net"
    :
    real    0m0.847s
    user   0m0.007s
    sys     0m0.006s
    #


-- *Bret Wortman*

    http://damascusgrp.com/
    http://about.me/wortmanbret



    _______________________________________________
    Freeipa-users mailing list
    Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
    https://www.redhat.com/mailman/listinfo/freeipa-users


    _______________________________________________
    Freeipa-users mailing list
    Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
    https://www.redhat.com/mailman/listinfo/freeipa-users





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to