On 3/3/13 6:57 AM, Yair Zaslavsky wrote:
Please elaborate on "quite a few groups" - actually this is a well known issue. I was afraid you might have permissions on "too many objects" or that the account is a member of too many groups. However, being a member of too many groups should have caused the search to be slow/hang as well. I don't have an exact count, but I think its along the order of magnitude of 300-400.
I didn't notice the searches (when trying to add the account to the ovirt permissions) was unbearable slow like the logins. But why does ovirt even care about the groups? I thought it was only using AD for authentication and that the authorization was all done internally through the permissions granted. Or is that just a standard "library" that ovirt is using that is doing this? I don't suppose there is a work around?
Hi, you can look at the following link -
http://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html
we support changing sasl_qop. You can use engine-config to do that. engine-config -s sasl_qop=auth will change Quality of Propetction to be only at authentication. Please let us know if using that you will be able to see the ldap queries (i.e - have them plain and not encrypted) Ok, yeah that allows me to see the ldap requests...
Looks like its going through all of the groups I am a member of and doing a search on each one. And in a not so terribly efficient way (connect/bind/search/close... repeat).