On Thu, 26 Mar 2020, Jannis Mann wrote:

> Hi,
> I just want to check wether the performance of sssd is alright or if there
> is room for improvement.
>
> I am using a binding account to query the Active Directory.
> I've configured a nesting level of 1.
>
> When I login the first time or run the id command it takes around 5 secs to
> finish when the user is member of ~100 (nested) groups in the AD.
> It takes around 10 secs if the user is member of ~200 (nested) groups.
>
> So you can say the loading time is increasing linearly to the membership of
> groups.
>
> Unfortunately I need to use a nesting level of 1. I've set group members to
> false and enumeration off.
>
> Are these values in an acceptable area? What experiences did you make?

ignore_group_members = true

If you're in a situation where you can set this, it makes a massive difference to performance (especially where you have large groups).

I've not retested with newer versions of SSSD, but in the past mounting /var/lib/sss/db as tmpfs made another big performance difference.

We were getting >60 seconds times for an initial login of a user, which would cause timeouts elsewhere.  This ends up bringing it down to more like one second for a typical case, and once it's been cached much faster than that.

That was with nesting level 4.

jh_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org