[CentOS] Slow authentication on C7

Tue Apr 12 16:51:05 UTC 2016
James Hogarth <james.hogarth at gmail.com>

On 12 Apr 2016 16:29, "Scott Robbins" <scottro11 at gmail.com> wrote:
>
> On Tue, Apr 12, 2016 at 09:45:17AM +0200, Marcin Trendota wrote:
> > W dniu 11.04.2016 o 20:07, Scott Robbins pisze:
> >
> > >>> Any ideas?
> > >> DNS?
> > > Is LDAP listed in the /etc/nsswitch.conf?
> >
> > In nsswitch.conf i have:
> > passwd:     files sss
> > shadow:     files sss
> > group:      files sss
> >
> > DNS works fine. I think that sssd communicates with LDAP server with
> > every authentication - i have tons of following entries in log:
> >
> > http:// <http://pastebin.com/rZVjk0gW>pastebin.com
<http://pastebin.com/rZVjk0gW>/ <http://pastebin.com/rZVjk0gW>rZVjk0gW
<http://pastebin.com/rZVjk0gW>
> >
> > And it repeats for same user over and over again. Is this correct
behavior?
> RedHat never really mastered LDAP, unfortunately.  I have a by now ancient
> article, that mentions it.
>

<snip>

What utter nonsense. Just because you poorly configured your system does
not mean that Red Hat never really mastered it... And translating very old
experiences to CentOS 7 is even more ridiculous and counter productive.

To the OP enumerate is always painful, I'd remove that for a start.

My experience with the DAV SVN though is that clients are horrible in their
requests... So many it hits it so hard...

After various testing I ended up going with the Apache LDAP cache module
and doing the auth at the Apache level, not system.

Was far better in performance with the SVN server being hit fairly hard. I
can try and dig out an example configuration if you would like.

The bonus here as well is that svn users are separated cleanly from system
users... No reason for a dev to have a shell account on there ;)