slow login with sssd and ldap config

Eric Doutreleau Eric.Doutreleau at
Tue Jun 15 12:15:22 UTC 2010


I have some news about that problems
i though it was solved because i configured the groups to follow an 
empty part of my ldap server.
I have configured the groups to read in the good part of my ldap server 
and the slow performance is back again.

There s someting strang by the way
on my machine i type
id doutrele
on the sssd_default.log i can read the following line
(Tue Jun 15 14:00:38 2010) [sssd[be[default]]] [be_get_account_info] 
(4): Got request for [4097][1][name=doutrele]
then a ton of lines where the system try to find of which group the user 
doutrele belong.
then i read
(Tue Jun 15 14:00:39 2010) [sssd[be[default]]] [ldb] (9): Entry not 
found (name=zou,cn=users,cn=default,cn=sysdb)
(Tue Jun 15 14:00:40 2010) [sssd[be[default]]] [sdap_save_groups_loop] 
(9): Group 5 processed!
(Tue Jun 15 14:00:40 2010) [sssd[be[default]]] [sdap_save_group_send] 
(7): Adding original DN 
[cn=CampusTMSP,ou=Group,ou=System,dc=int-evry,dc=fr] to attributes of 
(Tue Jun 15 14:00:40 2010) [sssd[be[default]]] [sdap_save_group_send] 
(7): Adding member users to group [CampusTMSP]

(Tue Jun 15 14:00:40 2010) [sssd[be[default]]] [sdap_save_group_send] 
(7): Adding member users to group [CampusTMSP]

he saved a lot of groups in the local cache and proceed the last group 
and i read that
(Tue Jun 15 14:00:42 2010) [sssd[be[default]]] [ldb] (9): Entry not 
found (name=zriouil,cn=users,cn=default,cn=sysdb)
(Tue Jun 15 14:00:42 2010) [sssd[be[default]]] [ldb] (9): Entry not 
found (name=zryouil,cn=users,cn=default,cn=sysdb)
(Tue Jun 15 14:02:32 2010) [sssd[be[default]]] [sdap_save_groups_loop] 
(9): Group 6 processed!

then it takes 1m50s to save the last group.
is there a way to speed up that process?

Thanks in advance for any help

Le 10/06/2010 13:58, Stephen Gallagher a écrit :
> On 06/10/2010 07:39 AM, Eric Doutreleau wrote:
>> thanks for your answer
>> well i have the problem when i don't set up
>> ldap_user_search_base and
>> ldap_group_search_base
>> but i discovered that ou=Groups,dc=int-evry,dc=fr contains nothing
>> our posix group are elsewhere
>> and when i put ldap_group_search_base with the good value i have the
>> problem again
>> i guess i have to talk to the ldap guy to see if the data are correctly
>> indexed.
>> do u know what i should index on group?
> Actually, I'd really like to see what's going on that's causing the high
> CPU usage. Could you add 'debug_level = 9' to your /etc/sssd/sssd.conf,
> restart sssd, rerun your request and then tar up and send
> /var/log/sssd/*.log to me (feel free to sanitize any private data)
> It sounds like what's happening is you're getting into a tight loop
> until eventually one of our internal timers kills the process off and
> restarts it.
> It's possible you're hitting
> as well (which
> despite the description has nothing to do with Kerberos). A fix for that
> is available upstream, but I haven't packaged it for Fedora yet (it will
> be in the next package update, though)

More information about the users mailing list