While troubleshooting "slow login" with ipa users we discovered that adding
these two lines to our clients sssd.conf file fixed our issue for ipa users.

ldap_search_base = cn=accounts,dc=ipa,dc=domain,dc=com
ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=domain,dc=com

On the freeipa server side's sssd, we also added, based on the performance
tuning blog post
these two parameters.

ignore_group_members = True
subdomain_inherit = ignore_group_members

Without these options and sssd debug enabled, we can see that it goes
through all the trusted AD group to request membership(I think).

Here's a log entry example:

(Mon Dec 18 23:50:49 2017) [sssd[be[ipa.domain.com]]]
[ipa_s2n_get_list_next] (0x0400): Received [testgr...@domain.com]
attributes from IPA server.
(Mon Dec 18 23:50:49 2017) [sssd[be[ipa.domain.com]]]
[ipa_s2n_save_objects] (0x0400): Processing group testgr...@domain.com
(Mon Dec 18 23:50:49 2017) [sssd[be[ipa.domain.com]]]
[sysdb_search_by_name] (0x0400): No such entry
(Mon Dec 18 23:50:49 2017) [sssd[be[ipa.domain.com]]]
[sysdb_search_by_name] (0x0400): No such entry
(Mon Dec 18 23:50:49 2017) [sssd[be[ipa.domain.com]]]
[sysdb_search_group_by_gid] (0x0400): No such entry

Should ldap_search_base and lda_user_seach_base parameters should be in our
clients sssd per default ? Is that a normal behavior ?

We're also experiencing similar login slowness with our AD trusted
credentials. Do similar parameters exist for a trusted AD realm ?

Thanks for your help.

Alexandre Pitre
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to