On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote:
On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
On 04/10/2015 08:13 AM, Mateusz Malek wrote:
I'm about to migrate my OpenLDAP-based environment to FreeIPA, however
I've hit some weird performance problems. When I'm using IPA, it takes
about 5-7 (or even more) seconds to get shell prompt after entering user
password (...)
Do authentication and see where the time is spent by examining the logs.
Correlate it to the logs on the server. (...)
I spent the better part of today fixing this issue:

You might want to check if you're hit by this bug by setting:

With selinux_provider=none things seems faster.

It's still not as fast as with existing OpenLDAP, but logon times seem acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up to 3 seconds). It seems that most time is spent in Kerberos authentication (logs just "stop flowing" for a while) and on HBAC processing - on the 389 DS side it seems that LDAP is busy with requests (it looks like it sometimes "hangs" on MOD operation - is it updating user last logon time?).

Best regards,
Mateusz Malek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to