On Fri, 2011-09-23 at 10:02 +1000, GOLLSCHEWSKY, Tim wrote:
I work in an organisation with a relatively large LDAP (active)
When we ssh into a server running SSSD it seems to enumerate all the
groups in the "ldap_group_search_base" which takes a very long time.
Sometimes it can take up to 30 seconds for the Password: prompt to
appear to the ssh client, which feels like ages when you are logging
into Linux machines all day.
I've been running debug on the sssd process and I can see it searching
and populating all the groups when a person tries to log in. It calls
"ldap_search_ext" over and over again until all the groups (and users
inside those groups) have been discovered. Once it's done this and
has all the info in the cache, logging back in again is quick. But if
I don't login for a day or so and try to login again, it downloads all
the group information once again and I have the 30 second wait.
Can you please tell what version of SSSD you are using ?
We noticed a few issues with the initgroups code in older version and
have fixes that should increase performance of initgroups by avoiding
many of the lookups you see.
The bit I don't understand is: It does this even when I have
"Enumerate" set to False. Isn't Enumerate = False supposed to stop it
from downloading all the group memberships?
Yes, but see above.
Note I'm using an "ldap_filter" on just one group to control access to
the box. So really for the initial login process it only needs to see
the users that exist in one group. The only time I would expect it to
look at other groups is when somebody types the "groups" command for
example or does an "ls" in a directory.
Groups need to be set at login time in the shell as they are inherited
by all your processes. So we cannot delay a full group resolution, but
we can improve its speed.
access_provider = ldap
ldap_access_filter = memberOf=cn=jbsrd,ou=xxx,ou=Right
I'm just wondering if anybody else is using sssd in a large company or
university with a large LDAP directory and wondered how they got
around this issue.
Yes, we've seen this problem and we think we addressed the slowest paths
Please provide what version you are using so we can tell you if
improvements are available.
Simo Sorce * Red Hat, Inc * New York