On 10/24/2012 05:49 PM, Paul B. Henson wrote:
>We're working on transitioning from RHEL5 to RHEL6 and have run into a
>bit of a problem with sssd and our ldap integration.
>
>We have a number of groups with a very large number of members, which
>took excessively long with nss_ldap to retrieve. We implemented the
>nss_getgrent_skipmembers feature for nss_ldap, got it accepted into the
>PADL upstream, talked Red Hat into backporting it, and have been
>using it for years. Basically, this feature allows you to not request
>the member attribute for a group lookup, the group shows up with no members.
>However, for the purposes of initgroups, membership is still taken into
>account and users belong to the correct groups. This works perfectly for
>our needs.
>
Paul, this has been proposed as
https://fedorahosted.org/sssd/ticket/1376 which is currently slated
for inclusion in SSSD 1.10. You're not the first person to request
this functionality, but it just hasn't been implemented yet.
Also, as Dmitri has stated, in the case of initgroups (which can be
tested with 'id -G username' SSSD 1.9.x has implemented several very
serious performance increases.
Please test with 'id -G' and not just 'id', as the latter doesn't
just get the user's group memberships but also retrieves the full
contents of each of the groups.
There has also been many performance improvements done during the 1.9
development. I would suggest that you try the 1.9 packages to see if the
performance is acceptable for you.