Hi Simo, thanks for your assistance.
Can you please tell what version of SSSD you are using ? We noticed a few issues with the initgroups code in older version and have fixes that should increase performance of initgroups by avoiding ma
ny of the lookups you see.
I'm running the latest RHEL6: sssd-1.5.1-34.el6_1.3.x86_64
The bit I don't understand is: It does this even when I have "Enumerate" set to False. Isn't Enumerate = False supposed to stop it from downloading all the group memberships?
Yes, but see above.
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Depl oyment_Guide/chap-SSSD_User_Guide-Configuring_Domains.html
Note I'm using an "ldap_filter" on just one group to control access to the box. So really for the initial login process it only needs to see the users that exist in one group. The only time I would expect it to look at other groups is when somebody types the "groups" command for example or does an "ls" in a directory.
Groups need to be set at login time in the shell as they are inherited by all your processes. So we cannot delay a full group resolution, but
we can improve its speed.
I see, that makes sense.
access_provider = ldap ldap_access_filter = memberOf=cn=jbsrd,ou=xxx,ou=Right Groups,ou=Groups,dc=xxx,dc=xxx,dc=xxx
I'm just wondering if anybody else is using sssd in a large company or university with a large LDAP directory and wondered how they got around this issue.
Yes, we've seen this problem and we think we addressed the slowest paths recently.
Please provide what version you are using so we can tell you if improvements are available.
I'm using the latest RHEL6 package. Should I try compiling v1.6.1 from source?
Best regards,
Tim Gollschewsky.
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp". Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au. The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.