On Tue, Apr 14, 2015 at 05:36:16PM +0200, Mateusz Malek wrote: > > > On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote: > >On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: > >>On 04/10/2015 08:13 AM, Mateusz Malek wrote: > >>>I'm about to migrate my OpenLDAP-based environment to FreeIPA, however > >>>I've hit some weird performance problems. When I'm using IPA, it takes > >>>about 5-7 (or even more) seconds to get shell prompt after entering user > >>>password (...) > >>(...) > >>Do authentication and see where the time is spent by examining the logs. > >>Correlate it to the logs on the server. (...) > >I spent the better part of today fixing this issue: > > https://fedorahosted.org/sssd/ticket/2624 > > > >You might want to check if you're hit by this bug by setting: > > selinux_provider=none > >temporarily. > > With selinux_provider=none things seems faster. > > It's still not as fast as with existing OpenLDAP, but logon times seem > acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up > to 3 seconds). It seems that most time is spent in Kerberos authentication > (logs just "stop flowing" for a while) and on HBAC processing - on the 389 > DS side it seems that LDAP is busy with requests (it looks like it sometimes > "hangs" on MOD operation - is it updating user last logon time?).
I pushed the selinux performance patches upstream yesterday. They will make their way to 7.2, 6.7 and I guess Lukas might also cherry-pick them for Fedora. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project