6:59 p.m.
I work at a company with a massive AD infrastructure. Is there any way to specify a
specific OU to search through instead of just providing a top level DN? We use sssd for
all our authing needs on our linux machines and would like to do something like below:
ldap_user_search_base = OU=Employees,OU=blah users,DC=blah,DC=com
enumerate = false
When I connect on cli it looks like Ovirt is reaching out and grabbing a ton of info it
doesn't really need. It takes on average 40 second to allow me to log in on CLI or UI.
This is not an AD issue as we use AD on everything in our labs and have no issues with
speed.
I applied these changes and it didn't speed anything up.
https://ovirt.org/develop/release-management/features/infra/aaa_faq/
I can see from a tcpdump that I am in fact hitting my local AD servers and not going
across the world to get an answer.
Thanks!
7:05 p.m.
+Ravi Nori <rnori(a)redhat.com> can you assist?
On Thu, Jul 26, 2018 at 8:01 PM <sipandbite(a)hotmail.com> wrote:
I work at a company with a massive AD infrastructure. Is there any
way to
specify a specific OU to search through instead of just providing a top
level DN? We use sssd for all our authing needs on our linux machines and
would like to do something like below:
ldap_user_search_base = OU=Employees,OU=blah users,DC=blah,DC=com
enumerate = false
When I connect on cli it looks like Ovirt is reaching out and grabbing a
ton of info it doesn't really need. It takes on average 40 second to allow
me to log in on CLI or UI. This is not an AD issue as we use AD on
everything in our labs and have no issues with speed.
I applied these changes and it didn't speed anything up.
https://ovirt.org/develop/release-management/features/infra/aaa_faq/
I can see from a tcpdump that I am in fact hitting my local AD servers and
not going across the world to get an answer.
Thanks!
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WOHX5FFV5LF...
--
GREG SHEREMETA
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
<https://www.redhat.com/>
gshereme(a)redhat.com IRC: gshereme
<https://red.ht/sig>
1:44 p.m.
This is still hanging us up. I have dug all around and can't seem to figure out how to
lay in these environment tweaks to speed things up. I see that 4.2.5 just surfaced, but
didn't see anything int the release notes about AAA.
Thanks in advance for anyone that can help or point me in the right direction.
2:50 p.m.
cc'ing Ondra. @Ondra Machacek <omachace(a)redhat.com> can you assist?
On Mon, Jul 30, 2018 at 2:45 PM Dev Ops <sipandbite(a)hotmail.com> wrote:
This is still hanging us up. I have dug all around and can't seem
to
figure out how to lay in these environment tweaks to speed things up. I see
that 4.2.5 just surfaced, but didn't see anything int the release notes
about AAA.
Thanks in advance for anyone that can help or point me in the right
direction.
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/S5P3GDNDMID...
--
GREG SHEREMETA
SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX
Red Hat NA
<https://www.redhat.com/>
gshereme(a)redhat.com IRC: gshereme
<https://red.ht/sig>
2:25 a.m.
On 07/27/2018 01:59 AM, sipandbite(a)hotmail.com wrote:
I work at a company with a massive AD infrastructure. Is there any
way to specify a specific OU to search through instead of just providing a top level DN?
We use sssd for all our authing needs on our linux machines and would like to do something
like below:
ldap_user_search_base = OU=Employees,OU=blah users,DC=blah,DC=com
enumerate = false
When I connect on cli it looks like Ovirt is reaching out and grabbing a ton of info it
doesn't really need. It takes on average 40 second to allow me to log in on CLI or UI.
This is not an AD issue as we use AD on everything in our labs and have no issues with
speed.
I applied these changes and it didn't speed anything up.
https://ovirt.org/develop/release-management/features/infra/aaa_faq/
I can see from a tcpdump that I am in fact hitting my local AD servers and not going
across the world to get an answer.
Do you use include <ad.properties> or include <ad-recursive.properties>?
ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN which means less
network requests to AD servers, but higher load on less AD servers,
to fetch users/groups information.
ad-recursive.properties is using more request on more AD servers to get
full users/groups information, but has higher load on network. So it's
bad if you have high latency on network, but good in case you have slow
AD servers, but good latency network.
Try both and you can see which will show better performance for you.
In order to modify baseDN of search user request, you may add to your
profile.properties file:
search.ad-query-principals.search-request.baseDN =
OU=Employees,OU=blah users,${seq:_ad_baseDN}
>
> Thanks!
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WOHX5FFV5LF...
>
12:56 p.m.
Thanks for responding.
Looks like we are using the first include option. We have lots of AD servers around the
world and latency never seems to be an issue. This option seems like it would be fine for
us but I did switch it to the recursive and that sped things up drastically.
Thank you very much for your help!
2308
days inactive
2313
days old
6 comments
4 participants
participants (4)
-
Dev Ops -
Greg Sheremeta -
Ondra Machacek -
sipandbite@hotmail.com