On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote:
On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
On 04/10/2015 08:13 AM, Mateusz Malek wrote:
I'm about to migrate my OpenLDAP-based environment to FreeIPA, however
I've hit some weird performance problems. When I'm using IPA, it takes
about 5-7 (or even more) seconds to get shell prompt after entering user
Do authentication and see where the time is spent by examining the logs.
Correlate it to the logs on the server. (...)
I spent the better part of today fixing this issue:
You might want to check if you're hit by this bug by setting:
With selinux_provider=none things seems faster.
It's still not as fast as with existing OpenLDAP, but logon times seem
acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they
go up to 3 seconds). It seems that most time is spent in Kerberos
authentication (logs just "stop flowing" for a while) and on HBAC
processing - on the 389 DS side it seems that LDAP is busy with requests
(it looks like it sometimes "hangs" on MOD operation - is it updating
user last logon time?).
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project