On Thu, 26 Mar 2020, Jannis Mann wrote:
Hi,
I just want to check wether the performance of sssd is alright or if there
is room for improvement.
I am using a binding account to query the Active Directory.
I've configured a nesting level of 1.
When I login the first time or run the id command it takes around 5 secs to
finish when the user is member of ~100 (nested) groups in the AD.
It takes around 10 secs if the user is member of ~200 (nested) groups.
So you can say the loading time is increasing linearly to the membership of
groups.
Unfortunately I need to use a nesting level of 1. I've set group members to
false and enumeration off.
Are these values in an acceptable area? What experiences did you make?
ignore_group_members = true
If you're in a situation where you can set this, it makes a massive difference to
performance (especially where you have large groups).
I've not retested with newer versions of SSSD, but in the past mounting
/var/lib/sss/db as tmpfs made another big performance difference.
We were getting >60 seconds times for an initial login of a user, which would cause
timeouts elsewhere. This ends up bringing it down to more like one second for a typical
case, and once it's been cached much faster than that.
That was with nesting level 4.
jh