> > I'm not sure if artificially trimming the group list is a good idea.
> > It wouldn't work for everyone and I would be wary of breaking access
> > control mechanisms.
>
> Noted. And yes I agree this (non-mandatory) config option wouldn't be useful for everyone, it's just something
> that fixes my particular problem (reduces ssh login times from 30 seconds to <5).
>
> I may have to write my own patch and apply it to the SRPM as each official version of SSSD is released. It won't be
> supported by Red Hat obviously but my users won't be complaining about slow login times anymore. So partial win. :)
Just thought I'd contribute my results in case this helps with your investigation of the larger problem. I assume there are other organisations with huge AD/LDAP directories that are having similar issues with ssh authentication times.
I've finished my local patch and added a config option called: ldap_rfc2307bis_initgroups_filter
If not specified, sssd just reverts to normal behaviour (cn=*) during the initgroups run.
With no ldap_rfc2307bis_initgroups_filter:
# time ssh myhost groups
xxxxdm xxxxdef xxxxgmt xxxx002 xxxx003 xxxxp xxxx001 xxxx002 xxxxt xxxxp xxxxange xxxxra xxxxb2 xxxxp xxxxd xxxxt xxxxp xxxxp xxxxp xxxxp xxxxd xxxxd xxxxp xxxxd xxxxd xxxxd xxxxp xxxxp xxxxd xxxxd xxxxp xxxxt xxxxd xxxxlemr xxxxp xxxxd xxxxp xxxxp xxxxd xxxxt xxxxd xxxxp xxxxd xxxxd xxxxt xxxxp xxxxt xxxxp xxxxd xxxxd xxxxt xxxxp xxxxd xxxxu xxxxp xxxxp xxxxp xxxxp xxxxd xxxxp xxxxp xxxxu xxxxp xxxxp xxxxt xxxxp xxxxd xxxxd xxxxt xxxxp xxxxd xxxxt xxxxt xxxxd xxxxt xxxxp xxxxp xxxxi xxxxd xxxxd xxxxp xxxxd xxxxp xxxxp xxxxd xxxxd xxxxp xxxxp xxxxd xxxxp xxxxd xxxxp xxxxd xxxxp xxxxp xxxxp xxxxp xxxxd xxxxd xxxxd xxxxd xxxxp xxxxp xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxp xxxxd xxxxp xxxxd xxxxd xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxd xxxxd xxxxp xxxxt xxxxp xxxxd xxxxd xxxxp xxxxd xxxxd xxxxd xxxxp xxxxd xxxxd
real 0m48.47s
user 0m0.15s
sys 0m0.02s
With ldap_rfc2307bis_initgroups_filter = (|(cn=xxxrd)(cn=xxxxp)(cn=xxxxd))
# time ssh myhost groups
xxxxdm xxxxgmt xxxxd xxxxp xxxxd
real 0m5.11s
user 0m0.15s
sys 0m0.03s
This hack will have to do until a better solution is found. I'm hoping the fixes coming in 1.7.0 will do the trick. :)
Thanks to everyone who helped me get to this point.
Best regards,
Tim Gollschewsky.
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.