slow login with sssd and ldap config

Gowrishankar Rajaiyan grajaiya at
Fri Jun 11 16:41:46 UTC 2010

On 06/10/2010 05:09 PM, Eric Doutreleau wrote:
> thanks for your answer
> well i have the problem when i don't set up
> ldap_user_search_base and
> ldap_group_search_base
> but i discovered that ou=Groups,dc=int-evry,dc=fr contains nothing
> our posix group are elsewhere
> and when i put ldap_group_search_base with the good value i have the 
> problem again
> i guess i have to talk to the ldap guy to see if the data are correctly 
> indexed.
> do u know what i should index on group?
> Le 10/06/2010 13:12, Stephen Gallagher a écrit :
>> On 06/10/2010 05:50 AM, Eric Doutreleau wrote:
>>> ahhh i took a day to write the mail and i found the solution 5 minutes
>>> just after write the mail
>>> i add
>>> ldap_group_search_base = ou=Groups,dc=int-evry,dc=fr
>>> and it s far faster
>>> sorry to have disturbed
>> Hmm, this shouldn't have had a direct effect. If unspecified,
>> ldap_group_search_base should default to being the same as
>> ldap_search_base. Unless your LDAP server is incredibly large (and no
>> indexing is being performed), setting this should not have a measurable
>> effect. The primary purpose for this option is for LDAP deployments
>> where users and groups are in vastly disparate sections of the tree.
>> I'm more concerned that there's a bug in our processing when only one of
>> the two options is specified. I'm CCing one of our upstream QE engineers
>> to try and reproduce your original performance issue. I think you may
>> have found a bug here.
>> Eric, if you would also be willing to try it, I'm curious if you still
>> see this problem with only ldap_search_base specified (without
>> ldap_user_search_base and ldap_group_search_base)

Hi Eric,

I was unable to reproduce this issue on my test bed.
My test is as follows:

OS: Fedora release 13 (Goddard)
Version: sssd-1.2.0-12.fc13.x86_64 & nss-pam-ldapd-0.7.6-2.fc13.x86_64

1. Configured sssd.conf as:
config_file_version = 2
reconnection_retries = 3
services = nss, pam
domains = default

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

ldap_id_use_start_tls = False
ldap_tls_reqcert = never
cache_credentials = True
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=People,dc=example,dc=com
chpass_provider = none
id_provider = ldap
auth_provider = ldap
debug_level = 9
min_id = 1
ldap_uri = ldap://
ldap_schema = rfc2307
ldap_default_bind_dn = uid=puser1,ou=People,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = Secret123
enumerate = False

2. Login with a valid user name and password.
3. Initial authentication takes ~12 seconds.
4. Tried with both ldap_user_search_base & ldap_group_search_base.
5. Tried with just ldap_group_search_base.

Did I miss anything important?

Gowrishankar Rajaiyan <gsr at>

More information about the users mailing list