On Mon, Dec 18, 2017 at 06:59:25PM -0500, Alexandre Pitre via FreeIPA-users 
> Hi,
> While troubleshooting "slow login" with ipa users we discovered that adding
> these two lines to our clients sssd.conf file fixed our issue for ipa users.
> ldap_search_base = cn=accounts,dc=ipa,dc=domain,dc=com

This should already be the default

> ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=domain,dc=com

This is not, but does it really make much of a difference? By default,
both the user and group search bases are set to

> On the freeipa server side's sssd, we also added, based on the performance
> tuning blog post
> https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/,
> these two parameters.
> ignore_group_members = True
> subdomain_inherit = ignore_group_members

I think this is what makes the difference

> Without these options and sssd debug enabled, we can see that it goes
> through all the trusted AD group to request membership(I think).
> Here's a log entry example:
> (Mon Dec 18 23:50:49 2017) [sssd[be[ipa.domain.com]]]
> [ipa_s2n_get_list_next] (0x0400): Received [testgr...@domain.com]
> attributes from IPA server.
> (Mon Dec 18 23:50:49 2017) [sssd[be[ipa.domain.com]]]
> [ipa_s2n_save_objects] (0x0400): Processing group testgr...@domain.com
> (Mon Dec 18 23:50:49 2017) [sssd[be[ipa.domain.com]]]
> [sysdb_search_by_name] (0x0400): No such entry
> (Mon Dec 18 23:50:49 2017) [sssd[be[ipa.domain.com]]]
> [sysdb_search_by_name] (0x0400): No such entry
> (Mon Dec 18 23:50:49 2017) [sssd[be[ipa.domain.com]]]
> [sysdb_search_group_by_gid] (0x0400): No such entry
> Should ldap_search_base and lda_user_seach_base parameters should be in our
> clients sssd per default ? Is that a normal behavior ?

Yes, currently the group resolution is not super fast in a large domain.
But we've added some performance improvements in the 1.16.x branch of
SSSD which should make its way (at least to) RHEL-7.5

> We're also experiencing similar login slowness with our AD trusted
> credentials. Do similar parameters exist for a trusted AD realm ?

Some parameters for the trusted domains can be set in the trusted domain
section directly, e.g.

ad_site = site_override

some parameters must still be set in the trusted domain set with the
subdomain_inherit option. Sorry it's a bit inconvenient, we have a PR to
unify the behaviour and allow setting all parameters in the subdomain
sub-section, but the PR is not merged yet.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to