On Thu, May 23, 2013 at 07:59:14AM -0400, Josh Endries wrote:
I would definitely be interested in testing the changes out.
Great, I build the latest 6.4 packages along with the new option to
disable range retrievals:
http://jhrozek.fedorapeople.org/sssd-range-retrieval/
To disable the range retrieval functionality (and get the same behaviour
as in 6.3), put the following directive into your sssd.conf into the
domain section:
ldap_disable_range_retrieval = True
and then restart the SSSD. Large groups (>1500 members) should then
appear as empty, while small groups should appear as they used to.
I don't think I am running into that ticket exactly; I'm not
in one group
with that many users that I'm aware of. However, my own account is in over
twenty groups, some of which are "all employees" and "all students",
so
it's a large result set. Ultimately it just means lots and lots of extra
look-ups when I just want a list of GIDs/names.
I see, then it might be a completely different issue. I would advise to
test the build first and if it doesn't help, then we'd take a look at
the debug logs.
Here is my config file. This is mostly from trial and error, Google
and man, so it's probably not perfect (but it works):
The config file looks good to me, in general I would just recommend
using GSSAPI over password binds:
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate...
The most important part for performance when it comes to AD client is
disabling referrals (which you already do).