Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Fabrice Bacchella
It works much better now. Goes from 6s to less than 500ms. Not blazing fast but much more usable, thanks a lot. > Le 12 mai 2017 à 15:58, Ondra Machacek a écrit : > > This is new feature in aaa-ldap tracked here[1]. > By default for AD profiles we use this feature, and it

Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Ondra Machacek
This is new feature in aaa-ldap tracked here[1]. By default for AD profiles we use this feature, and it should increase performance in most cases. But if this is not the case for you, can you just try to change the profile from: include = to include = And see if it will be better? [1]

Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Fabrice Bacchella
I found that: http://dunnry.com/blog/TransitiveLinkValueFilterEvaluation.aspx > Le 12 mai 2017 à 14:44, Fabrice Bacchella a > écrit : > > Ok, I found where it's slow, it's a ldapsearch on our AD: > > time ldapsearch -a never -E pr=100/noprompt -H ldap://ad1

Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Fabrice Bacchella
Ok, I found where it's slow, it's a ldapsearch on our AD: time ldapsearch -a never -E pr=100/noprompt -H ldap://ad1 -b DC=... -s sub '(&(groupType:1.2.840.113556.1.4.803:=2147483648)(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=userdn)))' objectGUID name description # numResponses:

Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Fabrice Bacchella
> Le 12 mai 2017 à 13:35, Ondra Machacek a écrit : > > > > On Fri, May 12, 2017 at 1:18 PM, Fabrice Bacchella > > wrote: > The request is indeed quite slow within ovirt, using the setup given by Juan: > >

Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Ondra Machacek
On Fri, May 12, 2017 at 1:18 PM, Fabrice Bacchella < fabrice.bacche...@orange.fr> wrote: > The request is indeed quite slow within ovirt, using the setup given by > Juan: > > /ovirt-engine/sso/oauth/token-http-auth 7001ms > > I was not able to authenticate jboss-cli.sh, I don't know why: >

Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Fabrice Bacchella
The request is indeed quite slow within ovirt, using the setup given by Juan: /ovirt-engine/sso/oauth/token-http-auth 7001ms I was not able to authenticate jboss-cli.sh, I don't know why: 'admin@internal-authz': No valid profile found in credentials. So I tried to modifie

Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Juan Hernández
On 05/12/2017 11:45 AM, Juan Hernández wrote: > On 05/12/2017 10:04 AM, Yaniv Kaul wrote: >> >> >> On May 11, 2017 8:25 PM, "Fabrice Bacchella" >> > wrote: >> >> I'm using kerberos authentication in ovirt for the URL >>

Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Juan Hernández
On 05/12/2017 10:04 AM, Yaniv Kaul wrote: > > > On May 11, 2017 8:25 PM, "Fabrice Bacchella" > > wrote: > > I'm using kerberos authentication in ovirt for the URL > /sso/oauth/token-http-auth, but kerberos is done in

Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Yaniv Kaul
On May 11, 2017 8:25 PM, "Fabrice Bacchella" wrote: I'm using kerberos authentication in ovirt for the URL /sso/oauth/token-http-auth, but kerberos is done in Apache using auth_gssapi_module and it's quite slow, about 6s for a request. I'm trying to understand if

Re: [ovirt-users] slow kerberos authentication

2017-05-12 Thread Ondra Machacek
I am not aware of anything, but debug log of all aaa stuff would help, to understand what takes the most time. - org.ovirt.engineextensions.aaa.ldap - org.ovirt.engineextensions.aaa.misc - org.ovirt.engine.core.aaa - org.ovirt.engine.core.sso To enable it in runtime, please follow:

[ovirt-users] slow kerberos authentication

2017-05-11 Thread Fabrice Bacchella
I'm using kerberos authentication in ovirt for the URL /sso/oauth/token-http-auth, but kerberos is done in Apache using auth_gssapi_module and it's quite slow, about 6s for a request. I'm trying to understand if it's apache or ovirt-engine that are slow. Is there a way to get response time