Hi Simo, thanks for your assistance.
Can you please tell what version of SSSD you are using ?
We noticed a few issues with the initgroups code in older version and have fixes that
should increase performance of initgroups by avoiding ma
ny of the lookups you see.
I'm running the latest RHEL6: sssd-1.5.1-34.el6_1.3.x86_64
> The bit I don't understand is: It does this even when I
> "Enumerate" set to False. Isn't Enumerate = False supposed to stop it
> from downloading all the group memberships?
Yes, but see above.
> Note I'm using an "ldap_filter" on just one group to control access to
> the box. So really for the initial login process it only needs to see
> the users that exist in one group. The only time I would expect it to
> look at other groups is when somebody types the "groups" command for
> example or does an "ls" in a directory.
Groups need to be set at login time in the shell as they are inherited by all your
processes. So we cannot delay a full group resolution, but
we can improve its
I see, that makes sense.
> access_provider = ldap
> ldap_access_filter = memberOf=cn=jbsrd,ou=xxx,ou=Right
> I'm just wondering if anybody else is using sssd in a large company or
> university with a large LDAP directory and wondered how they got
> around this issue.
Yes, we've seen this problem and we think we addressed the slowest paths recently.
Please provide what version you are using so we can tell you if improvements are
I'm using the latest RHEL6 package. Should I try compiling v1.6.1 from source?
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at
The content of this e-mail is the view of the sender or stated author and does not
necessarily reflect the view of Suncorp. The content, including attachments, is a
confidential communication between Suncorp and the intended recipient. If you are not the
intended recipient, any use, interference with, disclosure or copying of this e-mail,
including attachments, is unauthorised and expressly prohibited. If you have received this
e-mail in error please contact the sender immediately and delete the e-mail and any
attachments from your system.