I've configured sudo to use the ipa backend basically using the config ipa-client-install generated for me and it's mostly working.
However, when I configure sudo rules in FreeIPA with hostgroups containing a large amount of hosts, and I attempt to run sudo with an emptied sssd cache I get delays as sssd looks up the hosts in those netgroups, sometimes leading to timeouts when these lookups exceed ldap_search_timeout. I don't think looking up the hosts the netgroups should be required to evaluate the sudo rules. Configuring ignore_group_members=True unfortunately doesn't seem to help me here.
Is there any way I can avoid sssd looking up these large netgroups?
On Пят, 29 ліс 2024, Richard Doerwaldt via sssd-users wrote:
I've configured sudo to use the ipa backend basically using the config ipa-client-install generated for me and it's mostly working.
However, when I configure sudo rules in FreeIPA with hostgroups containing a large amount of hosts, and I attempt to run sudo with an emptied sssd cache I get delays as sssd looks up the hosts in those netgroups, sometimes leading to timeouts when these lookups exceed ldap_search_timeout. I don't think looking up the hosts the netgroups should be required to evaluate the sudo rules.
SUDO does evaluate netgroups mentioned in the SUDO rules. So it needs to know that information. It uses innetgr(3) to request evaluation of the host's presence in the netgroup.
Basically, the flow is - collect SUDO rules (sssd) - provide SUDO rules to SUDO via SSSD plugin - SUDO performs rule evaluation - for each rule with a netgroup, a match is attempted via innetgr(3) call - innetgr(3) will ask all configured netgroup plugins in glibc for their data, including SSSD - SSSD will have to pull all netgroups that this host or a is a member of.
Configuring ignore_group_members=True unfortunately doesn't seem to help me here.
I don't think SSSD ignores membership for netgroups.
On Fri, Nov 29, 2024 at 1:19 PM Richard Doerwaldt via sssd-users < sssd-users@lists.fedorahosted.org> wrote:
I've configured sudo to use the ipa backend basically using the config ipa-client-install generated for me and it's mostly working.
However, when I configure sudo rules in FreeIPA with hostgroups containing a large amount of hosts, and I attempt to run sudo with an emptied sssd cache I get delays as sssd looks up the hosts in those netgroups, sometimes leading to timeouts when these lookups exceed ldap_search_timeout. I don't think looking up the hosts the netgroups should be required to evaluate the sudo rules. Configuring ignore_group_members=True unfortunately doesn't seem to help me here.
Is there any way I can avoid sssd looking up these large netgroups?
(As was already explain) no,
but what is your DS version?
There was a performance issue in this area in old versions: https://bugzilla.redhat.com/show_bug.cgi?id=1913199
(Apologies for the late reply.)
Thanks. I don't quite understand the sudo side of things here.. I had a look at the FreeIPA LDAP and sssd log and it looks like sssd performs a quick LDAP query which retrieves all the relevant sudo rules for the host it's running on at startup. I don't quite see the need for then looking up all the members of a potentially large netgroup. I do not get the same kind of delay when evaluating HBAC rules referring to the same large hostgroup for example. If I don't have sudo rules explicitly referencing netgroups could I then disable the netgroup functionality entirely or is it required for sudo rules matching hostgroups? Is there any way to use LDAP sudo rules with FreeIPA instead?
On Mon, Dec 2, 2024, at 12:01, Alexey Tikhonov wrote:
but what is your DS version?
There was a performance issue in this area in old versions: https://bugzilla.redhat.com/show_bug.cgi?id=1913199
Thanks for the reply. I did see that one and thought it looked relevant, but I'm on RHEL 9.5 running 389-ds-base-2.5.2.
sssd-users@lists.fedorahosted.org