On Fri, 2011-09-23 at 10:02 +1000, GOLLSCHEWSKY, Tim wrote:
Hi all.
I work in an organisation with a relatively large LDAP (active) directory.
When we ssh into a server running SSSD it seems to enumerate all the groups in the "ldap_group_search_base" which takes a very long time. Sometimes it can take up to 30 seconds for the Password: prompt to appear to the ssh client, which feels like ages when you are logging into Linux machines all day.
I've been running debug on the sssd process and I can see it searching and populating all the groups when a person tries to log in. It calls "ldap_search_ext" over and over again until all the groups (and users inside those groups) have been discovered. Once it's done this and has all the info in the cache, logging back in again is quick. But if I don't login for a day or so and try to login again, it downloads all the group information once again and I have the 30 second wait.
Can you please tell what version of SSSD you are using ? We noticed a few issues with the initgroups code in older version and have fixes that should increase performance of initgroups by avoiding many of the lookups you see.
The bit I don't understand is: It does this even when I have "Enumerate" set to False. Isn't Enumerate = False supposed to stop it from downloading all the group memberships?
Yes, but see above.
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment...
Note I'm using an "ldap_filter" on just one group to control access to the box. So really for the initial login process it only needs to see the users that exist in one group. The only time I would expect it to look at other groups is when somebody types the "groups" command for example or does an "ls" in a directory.
Groups need to be set at login time in the shell as they are inherited by all your processes. So we cannot delay a full group resolution, but we can improve its speed.
access_provider = ldap ldap_access_filter = memberOf=cn=jbsrd,ou=xxx,ou=Right Groups,ou=Groups,dc=xxx,dc=xxx,dc=xxx
I'm just wondering if anybody else is using sssd in a large company or university with a large LDAP directory and wondered how they got around this issue.
Yes, we've seen this problem and we think we addressed the slowest paths recently.
Please provide what version you are using so we can tell you if improvements are available.
Simo.