Re: [ovirt-users] oVirt 3.6.1 with FreeIPA Auth domain performance

2016-01-22 Thread Justin Bushey 
Ondra,

Thanks again. You've definitely saved me from spending too much time going
down a bunny hole.

-- Justin

On Fri, Jan 22, 2016 at 4:35 AM, Ondra Machacek  wrote:

> Hi,
>
> the best thing you can do is to migrate to new AAA ldap[1],
> as anyway you will have to do so in 4.0, as manage-domains
> will be removed, so I think better invest time to migration,
> then to searching for root cause. We will be happy to help
> you with migration. You can also try migration tool[2].
>
> Ondra
>
> [1]
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README
> [2]
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases
>
>
> On 01/22/2016 09:37 AM, Justin Bushey wrote:
>
>> Hello,
>>
>> I just wanted to see if anyone else has seen issues with using FreeIPA
>> as an authentication domain with oVirt 3.6.1. Specifically, I'm seeing
>> extremely slow performance when authenticating as an IPA user, between
>> 5-10 minutes to get logged into the UI. On the KDC side I'm seeing
>> ticket requests from the oVirt host, which succeed and are repeated.
>> Eventually authentication succeeds to the Web UI.
>>
>> The IPA domain was added using `engine-manage-domains` with the IPA
>> provider option. I could configure direct LDAP authentication if
>> absolutely need be, but this is really bugging me.
>>
>> Google hasn't turned up any similar issues so I wanted to check if
>> anyone else has seen anything like this. I can post logs tomorrow if
>> anyone wants to assist me in troubleshooting ;)
>>
>> Thanks,
>>
>> Justin Bushey
>> InfoRelay Online Systems, Inc.
>>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 3.6.1 with FreeIPA Auth domain performance

2016-01-22 Thread Ondra Machacek 

Hi,

the best thing you can do is to migrate to new AAA ldap[1],
as anyway you will have to do so in 4.0, as manage-domains
will be removed, so I think better invest time to migration,
then to searching for root cause. We will be happy to help
you with migration. You can also try migration tool[2].

Ondra

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README
[2] 
https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases


On 01/22/2016 09:37 AM, Justin Bushey wrote:

Hello,

I just wanted to see if anyone else has seen issues with using FreeIPA
as an authentication domain with oVirt 3.6.1. Specifically, I'm seeing
extremely slow performance when authenticating as an IPA user, between
5-10 minutes to get logged into the UI. On the KDC side I'm seeing
ticket requests from the oVirt host, which succeed and are repeated.
Eventually authentication succeeds to the Web UI.

The IPA domain was added using `engine-manage-domains` with the IPA
provider option. I could configure direct LDAP authentication if
absolutely need be, but this is really bugging me.

Google hasn't turned up any similar issues so I wanted to check if
anyone else has seen anything like this. I can post logs tomorrow if
anyone wants to assist me in troubleshooting ;)

Thanks,

Justin Bushey
InfoRelay Online Systems, Inc.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 3.6.1 with FreeIPA Auth domain performance

2016-01-22 Thread Justin Bushey 
Also, I forgot to mention that I am running this against FreeIPA 4.2.

Thanks

On Fri, Jan 22, 2016 at 3:37 AM, Justin Bushey 
wrote:

> Hello,
>
> I just wanted to see if anyone else has seen issues with using FreeIPA as
> an authentication domain with oVirt 3.6.1. Specifically, I'm seeing
> extremely slow performance when authenticating as an IPA user, between 5-10
> minutes to get logged into the UI. On the KDC side I'm seeing ticket
> requests from the oVirt host, which succeed and are repeated. Eventually
> authentication succeeds to the Web UI.
>
> The IPA domain was added using `engine-manage-domains` with the IPA
> provider option. I could configure direct LDAP authentication if absolutely
> need be, but this is really bugging me.
>
> Google hasn't turned up any similar issues so I wanted to check if anyone
> else has seen anything like this. I can post logs tomorrow if anyone wants
> to assist me in troubleshooting ;)
>
> Thanks,
>
> Justin Bushey
> InfoRelay Online Systems, Inc.
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 3.6.1 with FreeIPA Auth domain performance

2016-01-22 Thread Donny Davis 
I use Freeipa without issue on AAA Ldap

Here is a simple write up that may help you understand how aaa ldap works.
This is out dated, so don't just copy and paste however it will help
you get the gist

https://ipv6cloud.wordpress.com/2014/12/16/ovirt-simple-ldap-aaa/

On Fri, Jan 22, 2016 at 2:08 PM, Justin Bushey 
wrote:

> Ondra,
>
> Thanks again. You've definitely saved me from spending too much time going
> down a bunny hole.
>
> -- Justin
>
> On Fri, Jan 22, 2016 at 4:35 AM, Ondra Machacek 
> wrote:
>
>> Hi,
>>
>> the best thing you can do is to migrate to new AAA ldap[1],
>> as anyway you will have to do so in 4.0, as manage-domains
>> will be removed, so I think better invest time to migration,
>> then to searching for root cause. We will be happy to help
>> you with migration. You can also try migration tool[2].
>>
>> Ondra
>>
>> [1]
>> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README
>> [2]
>> https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases
>>
>>
>> On 01/22/2016 09:37 AM, Justin Bushey wrote:
>>
>>> Hello,
>>>
>>> I just wanted to see if anyone else has seen issues with using FreeIPA
>>> as an authentication domain with oVirt 3.6.1. Specifically, I'm seeing
>>> extremely slow performance when authenticating as an IPA user, between
>>> 5-10 minutes to get logged into the UI. On the KDC side I'm seeing
>>> ticket requests from the oVirt host, which succeed and are repeated.
>>> Eventually authentication succeeds to the Web UI.
>>>
>>> The IPA domain was added using `engine-manage-domains` with the IPA
>>> provider option. I could configure direct LDAP authentication if
>>> absolutely need be, but this is really bugging me.
>>>
>>> Google hasn't turned up any similar issues so I wanted to check if
>>> anyone else has seen anything like this. I can post logs tomorrow if
>>> anyone wants to assist me in troubleshooting ;)
>>>
>>> Thanks,
>>>
>>> Justin Bushey
>>> InfoRelay Online Systems, Inc.
>>>
>>>
>>> ___
>>> Users mailing list
>>> Users@ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>


-- 
Donny Davis
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users