On (15/04/15 08:53), Jakub Hrozek wrote:
>On Tue, Apr 14, 2015 at 05:36:16PM +0200, Mateusz Malek wrote:
>> On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote:
>> >On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
>> >>On 04/10/2015 08:13 AM, Mateusz Malek wrote:
>> >>>I'm about to migrate my OpenLDAP-based environment to FreeIPA, however
>> >>>I've hit some weird performance problems. When I'm using IPA, it takes
>> >>>about 5-7 (or even more) seconds to get shell prompt after entering user
>> >>>password (...)
>> >>(...)
>> >>Do authentication and see where the time is spent by examining the logs.
>> >>Correlate it to the logs on the server. (...)
>> >I spent the better part of today fixing this issue:
>> >     https://fedorahosted.org/sssd/ticket/2624
>> >
>> >You might want to check if you're hit by this bug by setting:
>> >     selinux_provider=none
>> >temporarily.
>> With selinux_provider=none things seems faster.
>> It's still not as fast as with existing OpenLDAP, but logon times seem
>> acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up
>> to 3 seconds). It seems that most time is spent in Kerberos authentication
>> (logs just "stop flowing" for a while) and on HBAC processing - on the 389
>> DS side it seems that LDAP is busy with requests (it looks like it sometimes
>> "hangs" on MOD operation - is it updating user last logon time?).
>I pushed the selinux performance patches upstream yesterday. They will make
>their way to 7.2, 6.7 and I guess Lukas might also cherry-pick them for
Packages for fedora 21,22 are built.
You just need to wait utill they are available in updates testing
or you can download packages from koji.


Please test and provide karma.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to