Hello All,
I'm experiencing ldap servers load problems when using Fedora 20 with sssd/ldap to authenticate users. Last year we were using Fedora 18 with sssd/ldap too, our sssd config remains unchanged. So, what is happenning :
- sssd is always searching for users in the ldap directory. Seems that the cache is always considered as empty or to be rebuild
Seems to retrieve all users (30 000 inside !) when the systems boots, when a user get logged and also when a user logoff ! As a bonus, sssd load the cpu as follows
27937 root 20 0 245308 22892 21888 S *16,0* 0,3 0:09.81 sssd_nss 27935 root 20 0 245908 8296 6804 R *11,6 * 0,1 0:07.86 sssd_be
Attached the log file with debug=9 and also our sssd.conf.
Any help would be appreciated.
Le 07/10/2014 17:11, John Hodrien a écrit :
On Tue, 7 Oct 2014, François Dagorn wrote:
Attached the log file with debug=9 and also our sssd.conf.
Do you have a really good reason to enable enumerate?
John,
I've a reason, not so good indeed, without enumerate lightdm does not work !
On Tue, Oct 07, 2014 at 05:15:35PM +0200, François Dagorn wrote:
Le 07/10/2014 17:11, John Hodrien a écrit :
On Tue, 7 Oct 2014, François Dagorn wrote:
Attached the log file with debug=9 and also our sssd.conf.
Do you have a really good reason to enable enumerate?
John,
I've a reason, not so good indeed, without enumerate lightdm does not work !
Wow, if they rely on getpwent() and friends, then I would call lightdm broken, sorry.. I guess using something like utmp and providing a button to type in the username would be much better..
One thing that might help you is enabling some kind of lastUSN attribute or similar on the server. I don't remember if OpenLDAP has this by default, but using lastUSN might decrease the amount of data that is fetched from the server..
Alternatively, you might want to play with the ldap search bases to set some filter that would match fewer entries (be careful to only use indexed attributes, otherwise a custom query might thrash the server side performance as well)
Not sure to well understand, but with the following :
[nss] filter_groups = root filter_users = root enum_cache_timeout = 36000 entry_cache_nowait_percentage = 99
seems to relax the ldap server ...
sssd-users@lists.fedorahosted.org