This is new feature in aaa-ldap tracked here[1].
By default for AD profiles we use this feature, and it should
increase performance in most cases.

But if this is not the case for you, can you just try to change the profile
from:

 include = <ad.properties>

to

 include = <ad-recursive.properties>

And see if it will be better?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1393407

On Fri, May 12, 2017 at 2:54 PM, Fabrice Bacchella <
fabrice.bacche...@orange.fr> wrote:

> I found that:
>
> http://dunnry.com/blog/TransitiveLinkValueFilterEvaluation.aspx
>
>
> Le 12 mai 2017 à 14:44, Fabrice Bacchella <fabrice.bacche...@orange.fr> a
> écrit :
>
> Ok, I found where it's slow, it's a ldapsearch on our AD:
>
> time ldapsearch -a never -E pr=100/noprompt -H ldap://ad1 -b DC=... -s
> sub '(&(groupType:1.2.840.113556.1.4.803:=2147483648 <(214)%20748-3648>
> )(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=userdn)))'
> objectGUID name description
>
> # numResponses: 70
> # numEntries: 66
> # numReferences: 3
>
> real 0m10.801s
> user 0m0.007s
> sys 0m0.012s
>
> That matches the log line:
> 2017-05-12 14:22:17,413+02 DEBUG 
> [org.ovirt.engineextensions.aaa.ldap.Framework]
> (pool-25-thread-2) [] Performing SearchRequest 'SearchRequest(baseDN='...',
> scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectCategory=
> group)(groupType:1.2.840.113556.1.4.803:=2147483648)(
> member:1.2.840.113556.1.4.1941:=...)', attrs={objectGUID, name,
> description}, controls={SimplePagedResultsControl(pageSize=100,
> isCritical=false)})' request on server '...'
> 2017-05-12 14:22:24,456+02 DEBUG 
> [org.ovirt.engineextensions.aaa.ldap.Framework]
> (pool-25-thread-1) [] SearchResult: SearchResult(resultCode=0 (success),
> messageID=3, entriesReturned=66, referencesReturned=0, responseControls={
> SimplePagedResultsControl(pageSize=0, isCritical=false)})
>
>
> And without 1.2.840.113556.1.4.1941
>
> # numResponses: 54
> # numEntries: 50
> # numReferences: 3
>
> real 0m0.051s
> user 0m0.008s
> sys 0m0.007s
>
> So it's an AD problem. 1.2.840.113556.1.4.1941 make it slow, but without
> it, the result is not the same. But I don't know if it's an AD or ovirt
> problem. I'll keep investigating.
>
> Thank's for your help.
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to