Re: [ovirt-users] slow kerberos authentication

12 May 2017

      ...
Le 12 mai 2017 =C3=A0 15:58, Ondra Machacek <omachace@redhat.com> a =
=C3=A9crit :
=20
This is new feature in aaa-ldap tracked here[1].
By default for AD profiles we use this feature, and it should
increase performance in most cases.
=20
But if this is not the case for you, can you just try to change the =
--Apple-Mail=_53EF95BA-A328-418F-B475-452AAD552109
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

It works much better now. Goes from 6s to less than 500ms. Not blazing =
fast but much more usable, thanks a lot.

profile
...
from:
=20
 include =3D <ad.properties>
=20
to
=20
 include =3D <ad-recursive.properties>
=20
And see if it will be better?
=20
[1] https://bugzilla.redhat.com/show_bug.cgi?id=3D1393407 =
<https://bugzilla.redhat.com/show_bug.cgi?id=3D1393407>
=20
On Fri, May 12, 2017 at 2:54 PM, Fabrice Bacchella =
<fabrice.bacchella@orange.fr <mailto:fabrice.bacchella@orange.fr>> =
wrote:
I found that:
=20
http://dunnry.com/blog/TransitiveLinkValueFilterEvaluation.aspx =
<http://dunnry.com/blog/TransitiveLinkValueFilterEvaluation.aspx>
=20
=20
...
Le 12 mai 2017 =C3=A0 14:44, Fabrice Bacchella =
<fabrice.bacchella@orange.fr <mailto:fabrice.bacchella@orange.fr>> a =
=C3=A9crit :
=20
Ok, I found where it's slow, it's a ldapsearch on our AD:
=20
time ldapsearch -a never -E pr=3D100/noprompt -H ldap://ad1 <> -b =
DC=3D... -s sub '(&(groupType:1.2.840.113556.1.4.803:=3D2147483648 =
<tel:(214)%20748-3648>)(&(objectCategory=3Dgroup)(member:1.2.840.113556.1.=
4.1941:=3Duserdn)))' objectGUID name description
=20
# numResponses: 70
# numEntries: 66
# numReferences: 3
=20
real	0m10.801s
user	0m0.007s
sys	0m0.012s
=20
That matches the log line:
2017-05-12 14:22:17,413+02 DEBUG =
[org.ovirt.engineextensions.aaa.ldap.Framework] (pool-25-thread-2) [] =
Performing SearchRequest 'SearchRequest(baseDN=3D'...', scope=3DSUB, =
deref=3DNEVER, sizeLimit=3D0, timeLimit=3D0, =
filter=3D'&(objectCategory=3Dgroup)(groupType:1.2.840.113556.1.4.803:=3D21=
47483648)(member:1.2.840.113556.1.4.1941:=3D...)', attrs=3D{objectGUID, =
name, description}, controls=3D{SimplePagedResultsControl(pageSize=3D100, =
isCritical=3Dfalse)})' request on server '...'
2017-05-12 14:22:24,456+02 DEBUG =
[org.ovirt.engineextensions.aaa.ldap.Framework] (pool-25-thread-1) [] =
SearchResult: SearchResult(resultCode=3D0 (success), messageID=3D3, =
entriesReturned=3D66, referencesReturned=3D0, =
responseControls=3D{SimplePagedResultsControl(pageSize=3D0, =
isCritical=3Dfalse)})
=20
=20
And without 1.2.840.113556.1.4.1941
=20
# numResponses: 54
# numEntries: 50
# numReferences: 3
=20
real	0m0.051s
user	0m0.008s
sys	0m0.007s
=20
So it's an AD problem. 1.2.840.113556.1.4.1941 make it slow, but =
without it, the result is not the same. But I don't know if it's an AD =
or ovirt problem. I'll keep investigating.
=20
Thank's for your help.
_______________________________________________
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users =
<http://lists.ovirt.org/mailman/listinfo/users>
=20
=20

Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--Apple-Mail=_53EF95BA-A328-418F-B475-452AAD552109
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">It works much better now. Goes from 6s to less than 500ms. =
Not blazing fast but much more usable, thanks a lot.<div class=3D""><br =
class=3D""><div class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D"">Le 12 mai 2017 =C3=A0 15:58, Ondra Machacek <<a =
href=3D"mailto:omachace@redhat.com" class=3D"">omachace@redhat.com</a>>=
 a =C3=A9crit :</div><br class=3D"Apple-interchange-newline"><div =
class=3D""><div dir=3D"ltr" class=3D""><div class=3D""><div =
class=3D""><div class=3D""><div class=3D""><div class=3D""><div =
class=3D"">This is new feature in aaa-ldap tracked here[1].<br =
class=3D""></div>By default for AD profiles we use this feature, and it =
should<br class=3D""></div>increase performance in most cases.<br =
class=3D""><br class=3D""></div>But if this is not the case for you, can =
you just try to change the profile<br class=3D""></div>from:<br =
class=3D""><br class=3D""> include =3D <ad.properties><br =
class=3D""><br class=3D""></div>to<br class=3D""><br =
class=3D""> include =3D <ad-recursive.properties><br =
class=3D""><br class=3D""></div>And see if it will be better?<br =
class=3D""><div class=3D""><div class=3D""><div class=3D""><div =
class=3D""><div class=3D""><div class=3D""><br class=3D"">[1] <a =
href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D1393407" =
class=3D"">https://bugzilla.redhat.com/show_bug.cgi?id=3D1393407</a><br =
class=3D""></div></div></div></div></div></div></div><div =
class=3D"gmail_extra"><br class=3D""><div class=3D"gmail_quote">On Fri, =
May 12, 2017 at 2:54 PM, Fabrice Bacchella <span dir=3D"ltr" =
class=3D""><<a href=3D"mailto:fabrice.bacchella@orange.fr" =
target=3D"_blank" class=3D"">fabrice.bacchella@orange.fr</a>></span> =
wrote:<br class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0 =
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div =
style=3D"word-wrap:break-word" class=3D"">I found that:<div class=3D""><br=
 class=3D""></div><div class=3D""><a =
href=3D"http://dunnry.com/blog/TransitiveLinkValueFilterEvaluation.aspx" =
target=3D"_blank" class=3D"">http://dunnry.com/blog/<wbr =
class=3D"">TransitiveLinkValueFilterEvalu<wbr =
class=3D"">ation.aspx</a></div><div class=3D""><br class=3D""></div><div =
class=3D""><br class=3D""><div class=3D""><blockquote type=3D"cite" =
class=3D""><div class=3D""><div class=3D"h5"><div class=3D"">Le 12 mai =
2017 =C3=A0 14:44, Fabrice Bacchella <<a =
href=3D"mailto:fabrice.bacchella@orange.fr" target=3D"_blank" =
class=3D"">fabrice.bacchella@orange.fr</a>> a =C3=A9crit :</div><br =
class=3D"m_5720800219487051111Apple-interchange-newline"></div></div><div =
class=3D""><div class=3D""><div class=3D"h5"><div =
style=3D"word-wrap:break-word" class=3D"">Ok, I found where it's slow, =
it's a ldapsearch on our AD:<div class=3D""><br class=3D""></div><div =
class=3D""><div =
style=3D"margin:0px;font-size:11px;line-height:normal;font-family:Menlo" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D"">time ldapsearch -a never -E pr=3D100/noprompt -H <a =
class=3D"">ldap://ad1</a> -b DC=3D... -s sub =
'(&(groupType:1.2.840.113556.<wbr class=3D"">1.4.803:=3D<a =
href=3D"tel:(214)%20748-3648" value=3D"+12147483648" target=3D"_blank" =
class=3D"">2147483648</a>)(&(<wbr =
class=3D"">objectCategory=3Dgroup)(member:<wbr =
class=3D"">1.2.840.113556.1.4.1941:=3D<wbr class=3D"">userdn)))' =
objectGUID name description</span></div><br class=3D""></div><div =
class=3D""><div style=3D"margin:0px;line-height:normal" class=3D""><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D""># numResponses: 70</span></div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D""># numEntries: 66</span></div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D""># numReferences: 3</span></div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal;mi=
n-height:13px" class=3D""><span =
style=3D"font-variant-ligatures:no-common-ligatures" class=3D""></span><br=
 class=3D""></div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D"">real<span class=3D"m_5720800219487051111Apple-tab-span" =
style=3D"white-space:pre-wrap">	</span>0m10.801s</span></div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D"">user<span class=3D"m_5720800219487051111Apple-tab-span" =
style=3D"white-space:pre-wrap">	</span>0m0.007s</span></div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D"">sys<span class=3D"m_5720800219487051111Apple-tab-span" =
style=3D"white-space:pre-wrap">	</span>0m0.012s</span></div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D""><br class=3D""></span></div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D"">That matches the log line:</span></div><div =
style=3D"margin:0px;line-height:normal" class=3D""><span =
style=3D"font-variant-ligatures:no-common-ligatures" class=3D""><div =
style=3D"margin:0px;line-height:normal" class=3D""><font face=3D"Menlo" =
class=3D""><span style=3D"font-size:11px" class=3D"">2017-05-12 =
14:22:17,413+02 DEBUG [org.ovirt.engineextensions.<wbr =
class=3D"">aaa.ldap.Framework] (pool-25-thread-2) [] Performing =
SearchRequest 'SearchRequest(baseDN=3D'...', scope=3DSUB, deref=3DNEVER, =
sizeLimit=3D0, timeLimit=3D0, filter=3D'&(objectCategory=3D<wbr =
class=3D"">group)(groupType:1.2.840.<wbr =
class=3D"">113556.1.4.803:=3D2147483648)(<wbr =
class=3D"">member:1.2.840.113556.1.4.<wbr class=3D"">1941:=3D...)', =
attrs=3D{objectGUID, name, description}, con</span></font><span =
style=3D"font-size:11px;font-family:Menlo" class=3D"">trols=3D{<wbr =
class=3D"">SimplePagedResultsControl(<wbr class=3D"">pageSize=3D100, =
isCritical=3Dfalse)})' request on server =
'...'</span></div></span></div><div =
style=3D"margin:0px;line-height:normal" class=3D""><span =
style=3D"font-variant-ligatures:no-common-ligatures;font-size:11px" =
class=3D""><font face=3D"Menlo" class=3D""><div =
style=3D"margin:0px;line-height:normal" class=3D"">2017-05-12 =
14:22:24,456+02 DEBUG [org.ovirt.engineextensions.<wbr =
class=3D"">aaa.ldap.Framework] (pool-25-thread-1) [] SearchResult: =
SearchResult(resultCode=3D0 (success), messageID=3D3, =
entriesReturned=3D66, referencesReturned=3D0, responseControls=3D{<wbr =
class=3D"">SimplePagedResultsControl(<wbr class=3D"">pageSize=3D0, =
isCritical=3Dfalse)})</div></font></span></div><div =
style=3D"font-family:Menlo;font-size:11px" class=3D""><span =
style=3D"font-variant-ligatures:no-common-ligatures" class=3D""><br =
class=3D""></span></div><div style=3D"font-family:Menlo;font-size:11px" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D""><br class=3D""></span></div><div =
style=3D"font-family:Menlo;font-size:11px" class=3D""><span =
style=3D"font-variant-ligatures:no-common-ligatures" class=3D"">And =
without </span>1.2.840.113556.1.4.<wbr class=3D"">1941</div><div =
style=3D"font-family:Menlo;font-size:11px" class=3D""><br =
class=3D""></div><div style=3D"font-family:Menlo;font-size:11px" =
class=3D""><div style=3D"margin:0px;line-height:normal" class=3D""><span =
style=3D"font-variant-ligatures:no-common-ligatures" class=3D""># =
numResponses: 54</span></div><div style=3D"margin:0px;line-height:normal" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D""># numEntries: 50</span></div><div =
style=3D"margin:0px;line-height:normal" class=3D""><span =
style=3D"font-variant-ligatures:no-common-ligatures" class=3D""># =
numReferences: 3</span></div><div =
style=3D"margin:0px;line-height:normal;min-height:13px" class=3D""><span =
style=3D"font-variant-ligatures:no-common-ligatures" class=3D""></span><br=
 class=3D""></div><div style=3D"margin:0px;line-height:normal" =
class=3D""><span style=3D"font-variant-ligatures:no-common-ligatures" =
class=3D"">real<span class=3D"m_5720800219487051111Apple-tab-span" =
style=3D"white-space:pre-wrap">	</span>0m0.051s</span></div><div =
style=3D"margin:0px;line-height:normal" class=3D""><span =
style=3D"font-variant-ligatures:no-common-ligatures" class=3D"">user<span =
class=3D"m_5720800219487051111Apple-tab-span" =
style=3D"white-space:pre-wrap">	</span>0m0.008s</span></div><div =
style=3D"margin:0px;line-height:normal" class=3D""><span =
style=3D"font-variant-ligatures:no-common-ligatures" class=3D"">sys<span =
class=3D"m_5720800219487051111Apple-tab-span" =
style=3D"white-space:pre-wrap">	</span>0m0.007s</span></div><div =
style=3D"margin:0px;line-height:normal" class=3D""><br =
class=3D""></div></div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D"">So it's an AD problem. 1.2.840.113556.1.4.1941 make it slow, =
but without it, the result is not the same. But I don't know if it's an =
AD or ovirt problem. I'll keep investigating.</div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D""><br class=3D""></div><div =
style=3D"font-family:Menlo;font-size:11px;margin:0px;line-height:normal" =
class=3D"">Thank's for your =
help.</div></div></div></div></div></div><span =
class=3D"">______________________________<wbr =
class=3D"">_________________<br class=3D"">Users mailing list<br =
class=3D""><a href=3D"mailto:Users@ovirt.org" target=3D"_blank" =
class=3D"">Users@ovirt.org</a><br class=3D""><a =
href=3D"http://lists.ovirt.org/mailman/listinfo/users" target=3D"_blank" =
class=3D"">http://lists.ovirt.org/<wbr =
class=3D"">mailman/listinfo/users</a><br =
class=3D""></span></div></blockquote></div><br =
class=3D""></div></div></blockquote></div><br class=3D""></div>
_______________________________________________<br class=3D"">Users =
mailing list<br class=3D""><a href=3D"mailto:Users@ovirt.org" =
class=3D"">Users@ovirt.org</a><br =
class=3D"">http://lists.ovirt.org/mailman/listinfo/users<br =
class=3D""></div></blockquote></div><br =
class=3D""></div></div></body></html>=

--Apple-Mail=_53EF95BA-A328-418F-B475-452AAD552109--