RHEV-M LDAP integration Logon VERY slow
Hi,
I added our RHEV-M to our domain so that we can do domain logons... set my id up as administrator, but it takes like 5 minutes for me to logon.
We have a very large AD domain so I guess it is searching the whole thing, just wondered if I can point it to a OU with just the group of RHEV-M admins in it somehow?
Thanks
Bill
Responses
Hi Bill,
I am not an AD guy, but... I wonder if you could create a user in AD only has privilege to see a particular tree, if that would limit it's reach and thereby speed up the search. My own login is a bit slow and we have a very small AD environment.
Here is an example of folks wanting to use multiple forests (which leads me to believe you could configure a "sub-forest"?)
https://access.redhat.com/solutions/53477
After adding our RHEVM to AD, we executed the following query and found out that the (European) RHEVM was connecting to an Asian AD server:
psql -U postgres engine
select option_name, option_value from vdc_options where option_name like '%LdapS%';
After correcting this to a nearby AD server, lookups were much faster.
You are likely using a number of AD servers. I believe will try to do an SRV lookup for ldap in your domain (I do not know this for certain, as I have never had a reason to reverse-engineer the process ;-)
You can look as well (here are some example methods - dig, probably the best)
nslookup -type=SRV _ldap._tcp.example.com
host -t SRV _ldap._tcp.example.com
dig SRV _kerberos._udp.example.com
I'm also using MS-AD and also get,
engine=> select option_name, option_value from vdc_options where option_name like '%LdapS%';
option_name | option_value
-------------+--------------
LdapServers |
(1 row)
Using engine, I do get correct values:
-> engine-manage-domains list
Domain: your.domain
User name: SERVICE-ACCOUNT-NAME@YOUR.DOMAIN
Manage Domains completed successfully
You can validate the AD user account by,
-> engine-manage-domains validate
Print list of available commands using engine-manage-domain.
-> engine-manage-domains --help
Here you have an option to,
--ldap-servers=SERVERS
A comma delimited list of LDAP servers to be set to the domain.
Haven't been able to come any closer than that
If I remember correctly, the function i MS AD is called 'Sites and Services'. Here you can control logon servers by subnet as well as replication.
Otherwise perhaps try out using a comma delimited list of LDAP servers to see if that solves the problem.
Hi William
Did find something about the requirements for ad integration yesterday.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.3/html/Installation_Guide/Directory_Services_Support_in_Red_Hat_Enterprise_Virtualization.html
So seems PTR record is required.
But glad to hear you got it working anyway.
I see the problem.
MS AD Domain Controllers actually doesn't need PTR records to function or a reverse zone at all. We have it because quite a few application needs to be able to resolve FQDN from IP addresses. Doens't help you much I know.
Does it help putting your MS AD controllers into /etc/hosts ?
William,
Can I ask what method you used to join it to the domain? I don't have a RHEV-M installed currently so can't step through the process.
Is it using SSSD and the server has joined the domain? or are you using the AD servers as LDAP servers?
There are several options in sssd/LDAP that can cause lookups to be slow, especially if you have a lot of nested objects in your directory.
Two options to look into explicitly turning off for testing are:
enumerate
ldap_referrals
Another thing to test/look at is how the servers are defined in krb5.conf (if you are using it).
Rather than looking up the servers using:
dns_lookup_realm = true
dns_lookup_kdc = true
You can statically define exactly which servers you want to reference for the domain so the lookup / destination isn't left to chance or the whim of the AD server / DNS responses.
eg.
[libdefaults]
default_realm = REFARCH-AD.CLOUD.LAB.ENG.BOS.REDHAT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
REFARCH-AD.CLOUD.LAB.ENG.BOS.REDHAT.COM = {
kdc = WIN-SRV1.REFARCH-AD.CLOUD.LAB.ENG.BOS.REDHAT.COM
admin_server = WIN-SRV1.REFARCH-AD.CLOUD.LAB.ENG.BOS.REDHAT.COM
}
Lastly, do you have any Red Hat servers joined to the same domain? are they functioning correctly / as you would expect?
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
