[ovirt-users] slow kerberos authentication

Ondra Machacek omachace at redhat.com
Fri May 12 13:58:19 UTC 2017 

This is new feature in aaa-ldap tracked here[1].
By default for AD profiles we use this feature, and it should
increase performance in most cases.

But if this is not the case for you, can you just try to change the profile
from:

 include = <ad.properties>

to

 include = <ad-recursive.properties>

And see if it will be better?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1393407

On Fri, May 12, 2017 at 2:54 PM, Fabrice Bacchella <
fabrice.bacchella at orange.fr> wrote:

> I found that:
>
> http://dunnry.com/blog/TransitiveLinkValueFilterEvaluation.aspx
>
>
> Le 12 mai 2017 à 14:44, Fabrice Bacchella <fabrice.bacchella at orange.fr> a
> écrit :
>
> Ok, I found where it's slow, it's a ldapsearch on our AD:
>
> time ldapsearch -a never -E pr=100/noprompt -H ldap://ad1 -b DC=... -s
> sub '(&(groupType:1.2.840.113556.1.4.803:=2147483648 <(214)%20748-3648>
> )(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=userdn)))'
> objectGUID name description
>
> # numResponses: 70
> # numEntries: 66
> # numReferences: 3
>
> real 0m10.801s
> user 0m0.007s
> sys 0m0.012s
>
> That matches the log line:
> 2017-05-12 14:22:17,413+02 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework]
> (pool-25-thread-2) [] Performing SearchRequest 'SearchRequest(baseDN='...',
> scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectCategory=
> group)(groupType:1.2.840.113556.1.4.803:=2147483648)(
> member:1.2.840.113556.1.4.1941:=...)', attrs={objectGUID, name,
> description}, controls={SimplePagedResultsControl(pageSize=100,
> isCritical=false)})' request on server '...'
> 2017-05-12 14:22:24,456+02 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework]
> (pool-25-thread-1) [] SearchResult: SearchResult(resultCode=0 (success),
> messageID=3, entriesReturned=66, referencesReturned=0, responseControls={
> SimplePagedResultsControl(pageSize=0, isCritical=false)})
>
>
> And without 1.2.840.113556.1.4.1941
>
> # numResponses: 54
> # numEntries: 50
> # numReferences: 3
>
> real 0m0.051s
> user 0m0.008s
> sys 0m0.007s
>
> So it's an AD problem. 1.2.840.113556.1.4.1941 make it slow, but without
> it, the result is not the same. But I don't know if it's an AD or ovirt
> problem. I'll keep investigating.
>
> Thank's for your help.
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170512/d9323e75/attachment-0001.html>

More information about the Users mailing list