Обсуждение: Login with LDAP authentication takes 5 seconds
Hi,
I configured my PostgreSQL 10 DB on Debian 9.2 with LDAP authentication (simple bind mode). While this basically works, it has the strange effect that the first login with psql takes around 5 seconds. When I reconnect within 60 seconds, the login completes immediately.Andreas Schmid wrote: > I configured my PostgreSQL 10 DB on Debian 9.2 with LDAP authentication (simple bind mode). > While this basically works, it has the strange effect that the first login with psql > takes around 5 seconds. When I reconnect within 60 seconds, the login completes immediately. > > The LDAP server is behind a firewall. So for a test, in pg_hba.conf I put the LDAP servers > IP address instead of its DNS name (for parameter ldapserver). Like that, all logins > complete immediately. But in general I prefer specifying the DNS name rather than the IP. > > When I checked on the DB machine with the following commands > host my.ldap.server.org > dig my.ldap.server.org > both always returned the host name and IP address of the LDAP server immediately. > > Does anyone of you have an explanation for this, or a hint, where I could do some further > investigation? I would run a network trace with timestamps to see where the time is spent. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
On Mon, May 28, 2018 at 10:26 AM, Andreas Schmid <user462411@gmail.com> wrote:
both always returned the host name and IP address of the LDAP server immediately.host my.ldap.server.orgWhen I checked on the DB machine with the following commandsThe LDAP server is behind a firewall. So for a test, in pg_hba.conf I put the LDAP servers IP address instead of its DNS name (for parameter ldapserver). Like that, all logins complete immediately. But in general I prefer specifying the DNS name rather than the IP.Hi,I configured my PostgreSQL 10 DB on Debian 9.2 with LDAP authentication (simple bind mode). While this basically works, it has the strange effect that the first login with psql takes around 5 seconds. When I reconnect within 60 seconds, the login completes immediately.
Out of curiosity, what if you use "ping" rather than "dig" or "host"?
Cheers,
Jeff
On 28/05/2018 17:26, Andreas Schmid wrote:
IPv4 vs IPv6 ? any strange timeouts? look in the postgresql logs for any messages.Does anyone of you have an explanation for this, or a hint, where I could do some further investigation?both always returned the host name and IP address of the LDAP server immediately.host my.ldap.server.orgWhen I checked on the DB machine with the following commandsThe LDAP server is behind a firewall. So for a test, in pg_hba.conf I put the LDAP servers IP address instead of its DNS name (for parameter ldapserver). Like that, all logins complete immediately. But in general I prefer specifying the DNS name rather than the IP.Hi,I configured my PostgreSQL 10 DB on Debian 9.2 with LDAP authentication (simple bind mode). While this basically works, it has the strange effect that the first login with psql takes around 5 seconds. When I reconnect within 60 seconds, the login completes immediately.
Also definitely ran wireshark, it'll tell you a lot on what's happening between postgresql and your LDAP .
AndyThanks,
-- Achilleas Mantzios IT DEV Lead IT DEPT Dynacom Tankers Mgmt
Thanks a lot to all of you for your valuable hints. So I tried some more and found that traceroute and ping show the same symptoms, i.e. first call takes 5 seconds. However, traceroute -4 and ping -4 always respond immediately.
So, searching for "linux dns lookup takes long ipv4" brought me to https://askubuntu.com/a/32312 on AskUbuntu that suggested addingSo, according to the page linked there, I'm maybe having to do with a DNS Server or Firewall that doesn't handle the parallel IPv4 and IPv6 requests properly... I'll check with my IT.
On 31 May 2018 at 16:54, Achilleas Mantzios <achill@matrix.gatewaynet.com> wrote:
On 28/05/2018 17:26, Andreas Schmid wrote:IPv4 vs IPv6 ? any strange timeouts? look in the postgresql logs for any messages.Does anyone of you have an explanation for this, or a hint, where I could do some further investigation?both always returned the host name and IP address of the LDAP server immediately.host my.ldap.server.orgWhen I checked on the DB machine with the following commandsThe LDAP server is behind a firewall. So for a test, in pg_hba.conf I put the LDAP servers IP address instead of its DNS name (for parameter ldapserver). Like that, all logins complete immediately. But in general I prefer specifying the DNS name rather than the IP.Hi,I configured my PostgreSQL 10 DB on Debian 9.2 with LDAP authentication (simple bind mode). While this basically works, it has the strange effect that the first login with psql takes around 5 seconds. When I reconnect within 60 seconds, the login completes immediately.
Also definitely ran wireshark, it'll tell you a lot on what's happening between postgresql and your LDAP .AndyThanks,
-- Achilleas Mantzios IT DEV Lead IT DEPT Dynacom Tankers Mgmt