Are there any negative consequences of these settings?
`getgrnam()`/`getgrgid()` libc functions (and thus, for example, `getent group $group`) won't return group members.
BTW, I was able to reverse all of the timeout settings
If a network operation doesn't complete within a timeout then it just fails, it doesn't work faster. So reduced timeouts can't give any performance boost.
On Fri, Dec 6, 2024 at 6:01 PM Ice Man via sssd-users < sssd-users@lists.fedorahosted.org> wrote:
That helped my local tests, putting the cold-cache version on part with the warm-cache call.
I checked the number of groups (and its performance) using:
$ sudo sss_cache --groups && sleep 5 && time (printf "%s\n" $(groups$USER) | sort -u | wc -l) && time (printf "%s\n" $(groups $USER) | sort -u | wc -l) 29
real 0m0.620s user 0m0.007s sys 0m0.035s 29 real 0m0.026s user 0m0.012s sys 0m0.012sAre there any negative consequences of these settings? ... BTW, I was able to reverse all of the timeout settings and still get this performance boost, just by using:
$ git diff /etc/sssd diff --git a/sssd/sssd.conf b/sssd/sssd.conf index ed048b5..7b05e21 100644 --- a/sssd/sssd.conf +++ b/sssd/sssd.conf @@ -9,6 +9,8 @@ override_space = _ [pam] [domain/corp.mycompany.com] +ignore_group_members = true +subdomain_inherit = ignore_group_members ldap_referrals = False enumerate = False # This allows users to still login when the LDAP server cannot bereached
Thanks so much for the help! :)