https://bugzilla.redhat.com/show_bug.cgi?id=845125 (Red Hat Enterprise Linux 6)
Description of problem: I have this test server with 8.000 entries running IPA 2.2.0 and 389-ds-base-1.2.10.2-20.el6_3.x86_64 ldapsearch with "-Y GSSAPI" is much slower than using plain autentication: # time ldapsearch -x uid=bdteg01662 dn # extended LDIF # # LDAPv3 # base <dc=xxx,dc=gob,dc=ve> (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 real 0m0.006s user 0m0.001s sys 0m0.003s # time ldapsearch -Y GSSAPI uid=bdteg01662 dn SASL/GSSAPI authentication started SASL username: admin@XXX.GOB.VE SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=xxx,dc=gob,dc=ve> (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 real 0m2.344s user 0m0.007s sys 0m0.005s Version-Release number of selected component (if applicable): 389-ds-base-1.2.10.2-20.el6_3.x86_64 How reproducible: always Steps to Reproduce: 1.do a ldapsearch authenticating using GSSAPI Actual results: The command return succesfully after two seconds Expected results: The command should return succesfully almost immediately
strace of first leg of BIND request hilslMdr.asc.part
The strace https://fedorahosted.org/389/attachment/ticket/424/hilslMdr.asc.part shows that the vast majority of the time is spent in the kerberos and selinux code. Closing this ticket. The https://bugzilla.redhat.com/show_bug.cgi?id=845125 has been moved to kerberos or selinux.
Added initial screened field value.
Metadata Update from @rmeggins: - Issue assigned to rmeggins - Issue set to the milestone: N/A
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/424
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Invalid)
Login to comment on this ticket.