You are right, Rick.
The LDAP Machine resolver does not support the server pool.

Too bad.
I will create an issue and fix this.

Kind regards
CorneliusAm Mittwoch, den 09.12.2015, 05:32 -0800 schrieb RickP:

Unfortunately the list of ldap servers works in the Users resolver
with comma seperated entries, but for computers it fails, gets LDAP
InvalidServerError() with the exact same cut and pasted entry from
Users when tried on Computers.

We had tried the base company name as a method to provide multiple
backends there and it seemed to work. Changed that yesterday to a
single entry but did not see any change, will review and test again
this morning here.

Thanks for all the replies!!

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/15be07a1-31ce-42c9-bca1-9a6ee0f3ae69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

I believe you are right on this uwisgi worker killing its self off after 60
seconds, I havent successfully manipulated the harakiri value to affect
change, but did build a new test frontend web instances with apache2 today
and keys return consistently in 1 second time after time after time…On Tuesday, December 8, 2015 at 2:13:25 PM UTC-5, Cornelius Kölbel wrote:

Hi Rick,

I can not reproduce 5 secs. But I have the impression, that using nginx
produces a similar effect on my system. Well not 5 secs but maybe
0.5secs delay. (But at the moment I am using it with a local MySQL)…

OK, here is my suggestion. After 60 secs the uwsgi workers get killed.
For what reason ever - probably because I am no nginx expert

So please try to change the value in
/etc/uwsgi/apps-enabled/privacyidea.xml
to a higher value. Several minutes and restart uwsgi.

My theory is, that the uwsgi workers get killed. And when they are
initialized again, they need to setup all the environment. Including the
DB connection, which takes more time to your remote postgres server.

At the moment I am to lazy to setup a postgres to confirm my theory
Can you do so by changing the above mentioned config?

Kind regards
Cornelius

Am Dienstag, den 08.12.2015, 19:58 +0100 schrieb Cornelius Kölbel:

Hi Rick,

to rule out the nginx/uwsgi you could run the server with the runscript
as user root:

pi-manage runserver -t 10.1.25.133 -p 1234

And connect to this machine (if it is ok for you, to run it unencrypted.

Otherwise run it locallay and do an SSH port forwarding.

pi-manage runserver -z 127.0.0.1

If the 5sec remain it is either due to PI code or due to the database.
If it is gone. We need to take a look at nginx/uwsgi.

Kind regards
Cornelius

Am Dienstag, den 08.12.2015, 19:43 +0100 schrieb Cornelius Kölbel:

Which postgres driver are you using?

Have you restarted uwsgi after changing pi.cfg?

Kind regards
Cornelius

Am Dienstag, den 08.12.2015, 10:41 -0800 schrieb RickP:

in a basic python script to connect to the DB we effeminately see
the
delay if using hostname, and do not see the delay at all if using
IP,
leads one to think something bad in dns, but nslookups immediately
return the hostname lookup, using IP inside the pi.cfg did not
change
the behavior however, enabling debug logging to see what pops there

the test scripts were simply:

conn_string = “host=‘wslpidpg098.inmar.com’ dbname=‘privacyidea’
user=‘svcpidea’ password=‘catonaroof’”

vs

conn_string = “host=‘10.1.25.131’ dbname=‘privacyidea’
user=‘svcpidea’
password=‘catonaroof’”

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/39c72a57-281e-4853-8422-95d31281ad23%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Rick,

“havent successfully manipulated harakiri”:
Does his mean you changed it but it had no effect
or didn’t you change it at all?

(no native speaker

Anyway: Glad to hear, that it does work out for you, now.

If you have any further questions, just ask.

Kind regards
CorneliusAm Freitag, den 11.12.2015, 12:54 -0800 schrieb RickP:

I believe you are right on this uwisgi worker killing its self off
after 60 seconds, I havent successfully manipulated the harakiri value
to affect change, but did build a new test frontend web instances with
apache2 today and keys return consistently in 1 second time after time
after time…

On Tuesday, December 8, 2015 at 2:13:25 PM UTC-5, Cornelius Kölbel wrote:
Hi Rick,

    I can not reproduce 5 secs. But I have the impression, that
    using nginx 
    produces a similar effect on my system. Well not 5 secs but
    maybe 
    0.5secs delay. (But at the moment I am using it with a local
    MySQL)... 
    
    OK, here is my suggestion. After 60 secs the uwsgi workers get
    killed. 
    For what reason ever - probably because I am no nginx
    expert ;-) 
    
    So please try to change the <harakiri> value in 
    /etc/uwsgi/apps-enabled/privacyidea.xml 
    to a higher value. Several minutes and restart uwsgi. 
    
    My theory is, that the uwsgi workers get killed. And when they
    are 
    initialized again, they need to setup all the environment.
    Including the 
    DB connection, which takes more time to your remote postgres
    server. 
    
    At the moment I am to lazy to setup a postgres to confirm my
    theory ;-) 
    Can you do so by changing the above mentioned config? 
    
    Kind regards 
    Cornelius 
    
    Am Dienstag, den 08.12.2015, 19:58 +0100 schrieb Cornelius
    Kölbel: 
    > Hi Rick, 
    > 
    > to rule out the nginx/uwsgi you could run the server with
    the runscript 
    > as user root: 
    > 
    > # pi-manage runserver -t 10.1.25.133 -p 1234 
    > 
    > And connect to this machine (if it is ok for you, to run it
    unencrypted. 
    > 
    > Otherwise run it locallay and do an SSH port forwarding. 
    > 
    > # pi-manage runserver -z 127.0.0.1 
    > 
    > If the 5sec remain it is either due to PI code or due to the
    database. 
    > If it is gone. We need to take a look at nginx/uwsgi. 
    > 
    > Kind regards 
    > Cornelius 
    > 
    > Am Dienstag, den 08.12.2015, 19:43 +0100 schrieb Cornelius
    Kölbel: 
    > > Which postgres driver are you using? 
    > > 
    > > Have you restarted uwsgi after changing pi.cfg? 
    > > 
    > > Kind regards 
    > > Cornelius 
    > > 
    > > Am Dienstag, den 08.12.2015, 10:41 -0800 schrieb RickP: 
    > > > in a basic python script to connect to the DB we
    effeminately see the 
    > > > delay if using hostname, and do not see the delay at all
    if using IP, 
    > > > leads one to think something bad in dns, but nslookups
    immediately 
    > > > return the hostname lookup, using IP inside the pi.cfg
    did not change 
    > > > the behavior however, enabling debug logging to see what
    pops there 
    > > > 
    > > > 
    > > > the test scripts were simply: 
    > > > 
    > > > conn_string = "host='wslpidpg098.inmar.com'
    dbname='privacyidea' 
    > > > user='svcpidea' password='catonaroof'" 
    > > > 
    > > > vs 
    > > > 
    > > > conn_string = "host='10.1.25.131' dbname='privacyidea'
    user='svcpidea' 
    > > > password='catonaroof'" 
    > > > 
    > > > -- 
    > > > You received this message because you are subscribed to
    the Google 
    > > > Groups "privacyidea" group. 
    > > > To unsubscribe from this group and stop receiving emails
    from it, send 
    > > > an email to privacyidea...@googlegroups.com. 
    > > > To post to this group, send email to
    priva...@googlegroups.com. 
    > > > To view this discussion on the web visit 
    > > >
    https://groups.google.com/d/msgid/privacyidea/39c72a57-281e-4853-8422-95d31281ad23%40googlegroups.com. 
    > > > For more options, visit
    https://groups.google.com/d/optout. 
    > > 
    > > -- 
    > > Cornelius Kölbel 
    > > corneliu...@netknights.it 
    > > +49 151 2960 1417 
    > > 
    > > NetKnights GmbH 
    > > http://www.netknights.it 
    > > Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    > > Tel: +49 561 3166797, Fax: +49 561 3166798 
    > > 
    > > Amtsgericht Kassel, HRB 16405 
    > > Geschäftsführer: Cornelius Kölbel 
    > > 
    > > 
    > 
    > -- 
    > Cornelius Kölbel 
    > corneliu...@netknights.it 
    > +49 151 2960 1417 
    > 
    > NetKnights GmbH 
    > http://www.netknights.it 
    > Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    > Tel: +49 561 3166797, Fax: +49 561 3166798 
    > 
    > Amtsgericht Kassel, HRB 16405 
    > Geschäftsführer: Cornelius Kölbel 
    > 
    > 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/8ede3661-8129-4a54-9feb-08d606a2d032%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

installed a new frontend with the privacyiudea-nginx 2.8-1 version, the
harakiri setting doesnt seem to affect anything timing wise… but the
system doesnt display the 5 second delays as we see in the 2.7 version, it
is still slower than the performance of the apache2 instance. Apache
returns the key consistently in around 1.0 seconds flat, the nginx 2.8
version is now returning keys in 1.6-1.8 seconds but much better than the
6-8 seconds of 2.7.

We may still just switch over to the apache version for our production
instances.

Unfortunately we got off on this trail here in this Postgres thread as we
initially thought it was a pg connection issue so no one else will stumble
upon our adventures.

“havent successfully manipulated harakiri”:

meaning we modified the /etc/uwsgi/apps-enabled/privacyidea.xml line

<harakiri>3600</harakiri>

changed to 120 and to 3600 restarting the uwsgi service each time but the
60 second timeout then long 5 second reconnect thing still happens

Here is the complete file:

python /run/uwsgi/app/privacyidea/privacyidea.socket /etc/privacyidea/ privacyideaapp 8 3600 8 1 /tmp/stats.socket 2000 512 256 192 privacyidea www-data

Hi Rick,

ok, I understand.

But I think running privacyIDEA under Apache is also OK for?

Kind regards
CorneliusAm Montag, den 14.12.2015, 05:26 -0800 schrieb RickP:

    "havent successfully manipulated harakiri": 

meaning we modified the /etc/uwsgi/apps-enabled/privacyidea.xml line

<harakiri>3600</harakiri>

changed to 120 and to 3600 restarting the uwsgi service each time but
the 60 second timeout then long 5 second reconnect thing still
happens

Here is the complete file:

python /run/uwsgi/app/privacyidea/privacyidea.socket /etc/privacyidea/ privacyideaapp 8 3600 8 1 /tmp/stats.socket 2000 512 256 192 privacyidea www-data

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5a9b73a1-c0c9-481c-ae30-c51a045b77d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Rick,

thanks a lot for the update on the delay issue.

If you have any additional input (ideas/ improvements) on the SHH
keys/SSH tokens just let us know.

Kind regards
CorneliusAm Montag, den 14.12.2015, 12:03 -0800 schrieb RickP:

installed a new frontend with the privacyiudea-nginx 2.8-1 version,
the harakiri setting doesnt seem to affect anything timing wise… but
the system doesnt display the 5 second delays as we see in the 2.7
version, it is still slower than the performance of the apache2
instance. Apache returns the key consistently in around 1.0 seconds
flat, the nginx 2.8 version is now returning keys in 1.6-1.8 seconds
but much better than the 6-8 seconds of 2.7.

We may still just switch over to the apache version for our production
instances.

Unfortunately we got off on this trail here in this Postgres thread as
we initially thought it was a pg connection issue so no one else will
stumble upon our adventures.

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/a72111d0-a108-422f-a5f6-797a69fd8a12%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Yes we may switch to Apache, do see that you have posted a new version
2.8-1 of privacyidea-nginx we have 2.7-1 currently, so Im working on
building a front end with that version just to see the behavior, we had
only chosen nginx as most of our dev teams internally have been pushing
nginx away from apache. Will update on the 2.8-1 behavior.

HI Rick,

this is a new privacyidea release 2.8(.1).

In case of a new release everything is built a new

the base package python-privacyidea and the meta packages
privacyidea-apache2 and privacyidea-nginx.

I assume the 5 secs delay is something with nginx.
I suppose you get started with apache and maybe some of your nginx-folks
can figure out the nginx-thing?

Kind regards
CorneliusAm Montag, den 14.12.2015, 10:14 -0800 schrieb RickP:

Yes we may switch to Apache, do see that you have posted a new version
2.8-1 of privacyidea-nginx we have 2.7-1 currently, so Im working on
building a front end with that version just to see the behavior, we
had only chosen nginx as most of our dev teams internally have been
pushing nginx away from apache. Will update on the 2.8-1 behavior.

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/a0a42f95-7485-41af-a88f-6b0d40dfa7b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)