[ovirt-users] slow kerberos authentication

Fabrice Bacchella fabrice.bacchella at orange.fr
Fri May 12 15:00:50 UTC 2017 

It works much better now. Goes from 6s to less than 500ms. Not blazing fast but much more usable, thanks a lot.

> Le 12 mai 2017 à 15:58, Ondra Machacek <omachace at redhat.com> a écrit :
> 
> This is new feature in aaa-ldap tracked here[1].
> By default for AD profiles we use this feature, and it should
> increase performance in most cases.
> 
> But if this is not the case for you, can you just try to change the profile
> from:
> 
>  include = <ad.properties>
> 
> to
> 
>  include = <ad-recursive.properties>
> 
> And see if it will be better?
> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1393407 <https://bugzilla.redhat.com/show_bug.cgi?id=1393407>
> 
> On Fri, May 12, 2017 at 2:54 PM, Fabrice Bacchella <fabrice.bacchella at orange.fr <mailto:fabrice.bacchella at orange.fr>> wrote:
> I found that:
> 
> http://dunnry.com/blog/TransitiveLinkValueFilterEvaluation.aspx <http://dunnry.com/blog/TransitiveLinkValueFilterEvaluation.aspx>
> 
> 
>> Le 12 mai 2017 à 14:44, Fabrice Bacchella <fabrice.bacchella at orange.fr <mailto:fabrice.bacchella at orange.fr>> a écrit :
>> 
>> Ok, I found where it's slow, it's a ldapsearch on our AD:
>> 
>> time ldapsearch -a never -E pr=100/noprompt -H ldap://ad1 <> -b DC=... -s sub '(&(groupType:1.2.840.113556.1.4.803:=2147483648 <tel:(214)%20748-3648>)(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=userdn)))' objectGUID name description
>> 
>> # numResponses: 70
>> # numEntries: 66
>> # numReferences: 3
>> 
>> real	0m10.801s
>> user	0m0.007s
>> sys	0m0.012s
>> 
>> That matches the log line:
>> 2017-05-12 14:22:17,413+02 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (pool-25-thread-2) [] Performing SearchRequest 'SearchRequest(baseDN='...', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648)(member:1.2.840.113556.1.4.1941:=...)', attrs={objectGUID, name, description}, controls={SimplePagedResultsControl(pageSize=100, isCritical=false)})' request on server '...'
>> 2017-05-12 14:22:24,456+02 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (pool-25-thread-1) [] SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=66, referencesReturned=0, responseControls={SimplePagedResultsControl(pageSize=0, isCritical=false)})
>> 
>> 
>> And without 1.2.840.113556.1.4.1941
>> 
>> # numResponses: 54
>> # numEntries: 50
>> # numReferences: 3
>> 
>> real	0m0.051s
>> user	0m0.008s
>> sys	0m0.007s
>> 
>> So it's an AD problem. 1.2.840.113556.1.4.1941 make it slow, but without it, the result is not the same. But I don't know if it's an AD or ovirt problem. I'll keep investigating.
>> 
>> Thank's for your help.
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org>
>> http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
> 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170512/d371f153/attachment-0001.html>

More information about the Users mailing list