[ovirt-users] Re: AAA question...takes long time to log in

2018-07-31 Thread Dev Ops 
Thanks for responding. 

Looks like we are using the first include option. We have lots of AD servers 
around the world and latency never seems to be an issue. This option seems like 
it would be fine for us but I did switch it to the recursive and that sped 
things up drastically. 

Thank you very much for your help!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DFKID2UKVGCI6UME55YN67G7UDG3IE73/

[ovirt-users] Re: AAA question...takes long time to log in

2018-07-31 Thread Ondra Machacek 

On 07/27/2018 01:59 AM, sipandb...@hotmail.com wrote:

I work at a company with a massive AD infrastructure. Is there any way to 
specify a specific OU to search through instead of just providing a top level 
DN? We use sssd for all our authing needs on our linux machines and would like 
to do something like below:

ldap_user_search_base = OU=Employees,OU=blah users,DC=blah,DC=com
enumerate = false

When I connect on cli it looks like Ovirt is reaching out and grabbing a ton of 
info it doesn't really need. It takes on average 40 second to allow me to log 
in on CLI or UI. This is not an AD issue as we use AD on everything in our labs 
and have no issues with speed.

I applied these changes and it didn't speed anything up.

https://ovirt.org/develop/release-management/features/infra/aaa_faq/

I can see from a tcpdump that I am in fact hitting my local AD servers and not 
going across the world to get an answer.


Do you use include  or include ?

ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN which means less 
network requests to AD servers, but higher load on less AD servers,

to fetch users/groups information.

ad-recursive.properties is using more request on more AD servers to get 
full users/groups information, but has higher load on network. So it's 
bad if you have high latency on network, but good in case you have slow 
AD servers, but good latency network.


Try both and you can see which will show better performance for you.

In order to modify baseDN of search user request, you may add to your 
profile.properties file:


 search.ad-query-principals.search-request.baseDN = 
OU=Employees,OU=blah users,${seq:_ad_baseDN}




Thanks!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WOHX5FFV5LFWRQRQCFFYJE2YEUBPJKAW/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UVT3TMWMK5JTJHM5MDPOV6EJDDVP52TP/

[ovirt-users] Re: AAA question...takes long time to log in

2018-07-30 Thread Greg Sheremeta 
cc'ing Ondra. @Ondra Machacek  can you assist?

On Mon, Jul 30, 2018 at 2:45 PM Dev Ops  wrote:

> This is still hanging us up. I have dug all around and can't seem to
> figure out how to lay in these environment tweaks to speed things up. I see
> that 4.2.5 just surfaced, but didn't see anything int the release notes
> about AAA.
>
> Thanks in advance for anyone that can help or point me in the right
> direction.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/S5P3GDNDMID4VOOQAC3ZNYFKTH2ZSF7X/
>


-- 

GREG SHEREMETA

SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX

Red Hat NA



gsher...@redhat.comIRC: gshereme

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XFBHQNDIOSM3EN2VY67RWQRFYFP3CZHR/

[ovirt-users] Re: AAA question...takes long time to log in

2018-07-30 Thread Dev Ops 
This is still hanging us up. I have dug all around and can't seem to figure out 
how to lay in these environment tweaks to speed things up. I see that 4.2.5 
just surfaced, but didn't see anything int the release notes about AAA. 

Thanks in advance for anyone that can help or point me in the right direction. 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/S5P3GDNDMID4VOOQAC3ZNYFKTH2ZSF7X/

[ovirt-users] Re: AAA question...takes long time to log in

2018-07-26 Thread Dev Ops 
I meant to include we are running 4.2.4.5-1.el7. 

Thanks!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UE56ZYTKTM7EO2SUHBXLAZ2X2AR6K5HT/

[ovirt-users] Re: AAA question...takes long time to log in

2018-07-26 Thread Greg Sheremeta 
+Ravi Nori  can you assist?

On Thu, Jul 26, 2018 at 8:01 PM  wrote:

> I work at a company with a massive AD infrastructure. Is there any way to
> specify a specific OU to search through instead of just providing a top
> level DN? We use sssd for all our authing needs on our linux machines and
> would like to do something like below:
>
> ldap_user_search_base = OU=Employees,OU=blah users,DC=blah,DC=com
> enumerate = false
>
> When I connect on cli it looks like Ovirt is reaching out and grabbing a
> ton of info it doesn't really need. It takes on average 40 second to allow
> me to log in on CLI or UI. This is not an AD issue as we use AD on
> everything in our labs and have no issues with speed.
>
> I applied these changes and it didn't speed anything up.
>
> https://ovirt.org/develop/release-management/features/infra/aaa_faq/
>
> I can see from a tcpdump that I am in fact hitting my local AD servers and
> not going across the world to get an answer.
>
> Thanks!
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/WOHX5FFV5LFWRQRQCFFYJE2YEUBPJKAW/
>


-- 

GREG SHEREMETA

SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX

Red Hat NA



gsher...@redhat.comIRC: gshereme

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HYJSIKXZXANOJ4AGWN5UMGAQY32W7YI5/