Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

Mon, 08 Apr 2013 03:42:44 -0700 

On Mon, Apr 08, 2013 at 12:26:43PM +0200, Jakub Hrozek wrote:
> 
> I tried a similar case locally and everything worked for me. In the
> domain log I saw:
> 
> [sssd[be[idm.lab.bos.redhat.com]]] [be_pam_handler_callback] (0x0400): 
> SELinux provider doesn't exist, not sending the request to it
> 
> when I set selinux_provider=none.
> 
> What exact SSSD version is this?

sssd-1.8.0-32.el6.x86_64

> Can you paste the domain section of the sssd.conf?

        [domain/example.net]
        cache_credentials = True
        krb5_store_password_if_offline = True
        krb5_realm = EXAMPLE.NET
        ipa_domain = example.net
        id_provider = ipa
        auth_provider = ipa
        access_provider = ipa
        chpass_provider = ipa
        #ipa_server = ipa1.example.net
        ipa_server = _srv_, ipa1.example.net
        #ipa_server = ipa2.example.net, ipa1.example.net
        ldap_tls_cacert = /etc/ipa/ca.crt
        enumerate = false
        selinux_provider = none
        debug_level = 6

I know fixed the schema problem we had in 60ipaconfig.ldif. We were
missing ipaSELinuxUserMapDefault and ipaSELinuxUserMapOrder in the
ipaGuiConfig object class. But after fixing this I still see "No SELinux
user maps found!" messages..:

(Mon Apr  8 12:23:08 2013) [sssd[be[example.net]]] [dp_copy_options] (0x0400): 
Option ipa_selinux_search_base has value cn=selinux,dc=example,dc=net
(Mon Apr  8 12:23:08 2013) [sssd[be[example.net]]] [dp_copy_options] (0x0400): 
Option ipa_selinux_search_base has value cn=selinux,dc=example,dc=net
(Mon Apr  8 12:23:27 2013) [sssd[be[example.net]]] [ipa_get_selinux_send] 
(0x0400): Retrieving SELinux user mapping
(Mon Apr  8 12:23:27 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_next] 
(0x0400): Trying to fetch SELinux maps with following parameters: 
[2][(null)][cn=selinux,dc=example,dc=net]
(Mon Apr  8 12:23:27 2013) [sssd[be[example.net]]] [sdap_get_generic_ext_step] 
(0x0400): calling ldap_search_ext with 
[(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=example,dc=net].
(Mon Apr  8 12:23:27 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_done] 
(0x0400): No SELinux user maps found!



Should this be the full cn=selinux,dc=example,dc=net ?

-----------------------------------------------------------
dn: cn=selinux,dc=example,dc=net
objectClass: top
objectClass: nsContainer
cn: selinux

dn: cn=usermap,cn=selinux,dc=example,dc=net
objectClass: top
objectClass: nsContainer
cn: usermap
-----------------------------------------------------------


  -jf

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to