On (15/04/15 08:53), Jakub Hrozek wrote:
>On Tue, Apr 14, 2015 at 05:36:16PM +0200, Mateusz Malek wrote:
>> 
>> 
>> On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote:
>> >On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
>> >>On 04/10/2015 08:13 AM, Mateusz Malek wrote:
>> >>>I'm about to migrate my OpenLDAP-based environment to FreeIPA, however
>> >>>I've hit some weird performance problems. When I'm using IPA, it takes
>> >>>about 5-7 (or even more) seconds to get shell prompt after entering user
>> >>>password (...)
>> >>(...)
>> >>Do authentication and see where the time is spent by examining the logs.
>> >>Correlate it to the logs on the server. (...)
>> >I spent the better part of today fixing this issue:
>> >     https://fedorahosted.org/sssd/ticket/2624
>> >
>> >You might want to check if you're hit by this bug by setting:
>> >     selinux_provider=none
>> >temporarily.
>> 
>> With selinux_provider=none things seems faster.
>> 
>> It's still not as fast as with existing OpenLDAP, but logon times seem
>> acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up
>> to 3 seconds). It seems that most time is spent in Kerberos authentication
>> (logs just "stop flowing" for a while) and on HBAC processing - on the 389
>> DS side it seems that LDAP is busy with requests (it looks like it sometimes
>> "hangs" on MOD operation - is it updating user last logon time?).
>
>I pushed the selinux performance patches upstream yesterday. They will make
>their way to 7.2, 6.7 and I guess Lukas might also cherry-pick them for
>Fedora.
>
Packages for fedora 21,22 are built.
You just need to wait utill they are available in updates testing
or you can download packages from koji.

https://admin.fedoraproject.org/updates/sssd-1.12.4-4.fc22
https://admin.fedoraproject.org/updates/sssd-1.12.4-3.fc21

Please test and provide karma.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to