AAA question...takes long time to log in
I work at a company with a massive AD infrastructure. Is there any way to specify a specific OU to search through instead of just providing a top level DN? We use sssd for all our authing needs on our linux machines and would like to do something like below: ldap_user_search_base = OU=Employees,OU=blah users,DC=blah,DC=com enumerate = false When I connect on cli it looks like Ovirt is reaching out and grabbing a ton of info it doesn't really need. It takes on average 40 second to allow me to log in on CLI or UI. This is not an AD issue as we use AD on everything in our labs and have no issues with speed. I applied these changes and it didn't speed anything up. https://ovirt.org/develop/release-management/features/infra/aaa_faq/ I can see from a tcpdump that I am in fact hitting my local AD servers and not going across the world to get an answer. Thanks!
+Ravi Nori <rnori@redhat.com> can you assist? On Thu, Jul 26, 2018 at 8:01 PM <sipandbite@hotmail.com> wrote:
I work at a company with a massive AD infrastructure. Is there any way to specify a specific OU to search through instead of just providing a top level DN? We use sssd for all our authing needs on our linux machines and would like to do something like below:
ldap_user_search_base = OU=Employees,OU=blah users,DC=blah,DC=com enumerate = false
When I connect on cli it looks like Ovirt is reaching out and grabbing a ton of info it doesn't really need. It takes on average 40 second to allow me to log in on CLI or UI. This is not an AD issue as we use AD on everything in our labs and have no issues with speed.
I applied these changes and it didn't speed anything up.
https://ovirt.org/develop/release-management/features/infra/aaa_faq/
I can see from a tcpdump that I am in fact hitting my local AD servers and not going across the world to get an answer.
Thanks! _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WOHX5FFV5LFWRQ...
-- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gshereme@redhat.com IRC: gshereme <https://red.ht/sig>
This is still hanging us up. I have dug all around and can't seem to figure out how to lay in these environment tweaks to speed things up. I see that 4.2.5 just surfaced, but didn't see anything int the release notes about AAA. Thanks in advance for anyone that can help or point me in the right direction.
cc'ing Ondra. @Ondra Machacek <omachace@redhat.com> can you assist? On Mon, Jul 30, 2018 at 2:45 PM Dev Ops <sipandbite@hotmail.com> wrote:
This is still hanging us up. I have dug all around and can't seem to figure out how to lay in these environment tweaks to speed things up. I see that 4.2.5 just surfaced, but didn't see anything int the release notes about AAA.
Thanks in advance for anyone that can help or point me in the right direction. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/S5P3GDNDMID4VO...
-- GREG SHEREMETA SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX Red Hat NA <https://www.redhat.com/> gshereme@redhat.com IRC: gshereme <https://red.ht/sig>
On 07/27/2018 01:59 AM, sipandbite@hotmail.com wrote:
I work at a company with a massive AD infrastructure. Is there any way to specify a specific OU to search through instead of just providing a top level DN? We use sssd for all our authing needs on our linux machines and would like to do something like below:
ldap_user_search_base = OU=Employees,OU=blah users,DC=blah,DC=com enumerate = false
When I connect on cli it looks like Ovirt is reaching out and grabbing a ton of info it doesn't really need. It takes on average 40 second to allow me to log in on CLI or UI. This is not an AD issue as we use AD on everything in our labs and have no issues with speed.
I applied these changes and it didn't speed anything up.
https://ovirt.org/develop/release-management/features/infra/aaa_faq/
I can see from a tcpdump that I am in fact hitting my local AD servers and not going across the world to get an answer.
Do you use include <ad.properties> or include <ad-recursive.properties>? ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN which means less network requests to AD servers, but higher load on less AD servers, to fetch users/groups information. ad-recursive.properties is using more request on more AD servers to get full users/groups information, but has higher load on network. So it's bad if you have high latency on network, but good in case you have slow AD servers, but good latency network. Try both and you can see which will show better performance for you. In order to modify baseDN of search user request, you may add to your profile.properties file: search.ad-query-principals.search-request.baseDN = OU=Employees,OU=blah users,${seq:_ad_baseDN}
Thanks! _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WOHX5FFV5LFWRQ...
Thanks for responding. Looks like we are using the first include option. We have lots of AD servers around the world and latency never seems to be an issue. This option seems like it would be fine for us but I did switch it to the recursive and that sped things up drastically. Thank you very much for your help!
participants (4)
-
Dev Ops -
Greg Sheremeta -
Ondra Machacek -
sipandbite@hotmail.com