On 05/27/2015 01:33 PM, Lukas Slebodnik wrote:
On (27/05/15 13:25), Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/4964

--
Martin^3 Babinsky

From ef8481ee0267a720551832baae9398b435b3c6c5 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 26 May 2015 18:11:08 +0200
Subject: [PATCH] increase NSS memcache timeout for IPA server

Increasing memcache timeout to 600 seconds when configuring sssd on IPA server
should improve performance when dealing with large groups in trusts.

https://fedorahosted.org/freeipa/ticket/4964
---
ipa-client/ipa-install/ipa-client-install | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
63e3c9800791f3d29c977d63815c4291f5a235b9..ab3bc8a652dad01b9db5a26b877f38b850cb07f1
 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1274,6 +1274,15 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, 
cli_server, options, clie
         # the master should only use itself for Kerberos
         domain.set_option('ipa_server', cli_server[0])

+        # increase memcache timeout to 10 minutes when in server mode
+        try:
+            nss_service = sssdconfig.get_service('nss')
+        except SSSDConfig.NoServiceError:
+            nss_service = sssdconfig.new_service('nss')
+
+        nss_service.set_option('memcache_timeout', 600)
+        sssdconfig.save_service(nss_service)
+

NACK

It should not be set to such high value for each client.

It should be configured if and only if sssd is in the ipa-server mode
(trust with AD)

LS

Lukas,

it actually is set only when '--on-master' option is used, as can be (hopefully) seen from the following code:

"""
    if not options.on_master:
        if options.primary:
            domain.set_option('ipa_server', ', '.join(cli_server))
        else:
domain.set_option('ipa_server', '_srv_, %s' % ', '.join(cli_server))
    else:
        domain.set_option('ipa_server_mode', 'True')
        # the master should only use itself for Kerberos
        domain.set_option('ipa_server', cli_server[0])

        # increase memcache timeout to 10 minutes when in server mode
        try:
            nss_service = sssdconfig.get_service('nss')
        except SSSDConfig.NoServiceError:
            nss_service = sssdconfig.new_service('nss')

        nss_service.set_option('memcache_timeout', 600)
        sssdconfig.save_service(nss_service)
"""

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to