sgallagh(a)redhat.com wrote:
> On Wed, 2012-06-27 at 13:18 -0400, Mark London wrote:
>> Hi - We are running SSSD with LDAP at our site, where we have several
>> hundred users. LDAP is being served by our Windows domain server.
>>
>> With entry_cache_timeout set to a short value, when someone does an
>> operation that requires information for multiple users, i.e. listing the
>> owners of all of the user's home directories via the command "ls -l
>> /home", this will take many many minutes to complete. Of course, this
>> happens, because an LDAP request has to be issued for each user, and
>> then stored in the database. Further similar operations will complete
>> quickly, during the entry_cache_timeout period. But such operations do
>> not occur that frequent enough for the data to be kept in the cache.
>>
>> The only solution seems to be sto imply increase entry_cache_timeout to
>> a very large value. Of course, this is not ideal, because changes to
>> the ldap entries will not be seen for a long time. A kludge workaround,
>> would be to keep a low timeout, and have a cron job that runs the
>> command "ls -l /home" every 5 minutes, on each workstation.
>>
>> Is there a more elegant way to solve this problem? Thanks. - Mark
>
> If this action is a very common one (listing all of /home), then in your
> particular environment you will probably want to set 'enumerate = True'
> in the [domain/DOMAINNAME] section of sssd.conf.
>
> What this does is instruct SSSD to poll for cache updates on a regular
> basis and store cached information about all users and groups at alltimes.
Hi - We have enumerate turned on and it works great when SSSD is
started, as "ls -l /home" returns immediately. However, that's not the
case, no matter what I set ldap_enumeration_refresh_timeout. I.e. After
I received your email, I thought maybe that the enumeration data was
being cleared out of the cache somehow. So I tried setting the
ldap_enumeration_refresh_timeout to much less than entry_cache_timeout.
Should that prevent the cached entries from ever timing out? In any
event, it doesn't appear to work. "ls - /home" still takes a long time
and triggers requests.
(Thu Jun 28 08:04:06 2012) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'hereiam' matched without domain, user is hereiam
(Thu Jun 28 08:04:06 2012) [sssd[nss]] [nss_cmd_getpwnam_cb] (0x0400):
Requesting info for [hereiam] from [<ALL>]
(Thu Jun 28 08:04:06 2012) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/PSFC/hereiam]
(Thu Jun 28 08:04:06 2012) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0100): Requesting info for [hereiam@PSFC]
Here's our sssd.conf. Thanks for any help. - Mark
[sssd]
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LOCAL,LDAP
domains = PSFC
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system
accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0
# The entry_cache_timeout indicates the number of seconds to retain an
# entry in cache before it is considered stale and must block to refresh.
# The entry_cache_nowait_timeout indicates the number of seconds to
# wait before updating the cache out-of-band. (NSS requests will still
# be returned from cache until the full entry_cache_timeout). Setting this
# value to 0 turns this feature off (default).
; entry_cache_timeout = 600
; entry_cache_nowait_timeout = 300
[pam]
reconnection_retries = 3
debug_level = 0
[domain/PSFC]
description = LDAP domain with AD server
enumerate = true
min_id = 501
cache_credentials = true
entry_cache_timeout = 600
debug_level = 0
ldap_enumeration_refresh_timeout = 120
id_provider = ldap
chpass_provider = none
auth_provider = ldap
ldap_uri = _srv_,ldaps://198.125.180.133
ldap_tls_cacertdir = /etc/openldap/cacerts
#ldap_tls_cacert = /etc/openldap/cacerts/test.cer
ldap_schema = rfc2307bis
ldap_search_base = dc=psfc,dc=mit,dc=edu
ldap_user_search_base = dc=psfc,dc=mit,dc=edu
ldap_group_search_base = dc=psfc,dc=mit,dc=edu
ldap_default_bind_dn = CN=ADldapreadonly,OU=Computer Group,OU=PSFC
Users,DC=psfc,DC=mit,DC=edu
ldap_default_authtok_type = password
ldap_default_authtok = ldapread
#ldap_pwd_policy = none
ldap_user_object_class = person
ldap_user_name = sAMAccountName
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_member = msSFU30PosixMember
ldap_user_member_of = msSFU30PosixMemberOf
ldap_group_name = name
ldap_group_gid_number = msSFU30GidNumber
ldap_force_upper_case_realm = True