On 04/14/2015 12:35 PM, thierry bordaz wrote:
On 04/14/2015 05:36 PM, Mateusz Malek wrote:



On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote:
On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
On 04/10/2015 08:13 AM, Mateusz Malek wrote:
I'm about to migrate my OpenLDAP-based environment to FreeIPA, however I've hit some weird performance problems. When I'm using IPA, it takes about 5-7 (or even more) seconds to get shell prompt after entering user
password (...)
(...)
Do authentication and see where the time is spent by examining the logs.
Correlate it to the logs on the server. (...)
I spent the better part of today fixing this issue:
     https://fedorahosted.org/sssd/ticket/2624

You might want to check if you're hit by this bug by setting:
     selinux_provider=none
temporarily.

With selinux_provider=none things seems faster.

It's still not as fast as with existing OpenLDAP, but logon times seem acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up to 3 seconds). It seems that most time is spent in Kerberos authentication (logs just "stop flowing" for a while) and on HBAC processing - on the 389 DS side it seems that LDAP is busy with requests (it looks like it sometimes "hangs" on MOD operation - is it updating user last logon time?).

Hello,

When such long requests happened, you may take several pstack of the 389-ds process. Ideally you can timestamp the pstack output so that it is easier to correlate with DS access logs. Providing pstacks+access/errors logs would really help to know if there is a bottleneck.

See also http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs

You'll need to do "debuginfo-install ipa-server slapi-nis"


thanks

Best regards,
Mateusz Malek



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to