This is new feature in aaa-ldap tracked here[1]. By default for AD profiles we use this feature, and it should increase performance in most cases. But if this is not the case for you, can you just try to change the profile from: include = <ad.properties> to include = <ad-recursive.properties> And see if it will be better? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1393407 On Fri, May 12, 2017 at 2:54 PM, Fabrice Bacchella < fabrice.bacchella@orange.fr> wrote:
I found that:
http://dunnry.com/blog/TransitiveLinkValueFilterEvaluation.aspx
Le 12 mai 2017 à 14:44, Fabrice Bacchella <fabrice.bacchella@orange.fr> a écrit :
Ok, I found where it's slow, it's a ldapsearch on our AD:
time ldapsearch -a never -E pr=100/noprompt -H ldap://ad1 -b DC=... -s sub '(&(groupType:1.2.840.113556.1.4.803:=2147483648 <(214)%20748-3648> )(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=userdn)))' objectGUID name description
# numResponses: 70 # numEntries: 66 # numReferences: 3
real 0m10.801s user 0m0.007s sys 0m0.012s
That matches the log line: 2017-05-12 14:22:17,413+02 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (pool-25-thread-2) [] Performing SearchRequest 'SearchRequest(baseDN='...', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectCategory= group)(groupType:1.2.840.113556.1.4.803:=2147483648)( member:1.2.840.113556.1.4.1941:=...)', attrs={objectGUID, name, description}, controls={SimplePagedResultsControl(pageSize=100, isCritical=false)})' request on server '...' 2017-05-12 14:22:24,456+02 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (pool-25-thread-1) [] SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=66, referencesReturned=0, responseControls={ SimplePagedResultsControl(pageSize=0, isCritical=false)})
And without 1.2.840.113556.1.4.1941
# numResponses: 54 # numEntries: 50 # numReferences: 3
real 0m0.051s user 0m0.008s sys 0m0.007s
So it's an AD problem. 1.2.840.113556.1.4.1941 make it slow, but without it, the result is not the same. But I don't know if it's an AD or ovirt problem. I'll keep investigating.
Thank's for your help. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users