On pe, 09 syys 2022, Ranbir via FreeIPA-users wrote:
On Fri, 2022-09-09 at 08:53 +0200, Florence Blanc-Renaud via FreeIPA-
users wrote:
Are you aware of the following guide: Tuning performance in Identity
Management [1] ? It contains a chapter that may help clarify settings
to apply on servers vs clients: Tuning SSSD performance for large
IdM-AD trust deployments [2].
Yes, I've read those and I've implemented some of the recommendations
in there. But, I'm still left with the questions I asked. The man pages
and other documentation don't make it clear when each of the options in
sssd.conf are better suited on a master or a client. To me, this is
important info.
Consider this: only IPA servers contact AD DCs for identity information
and all IPA-enrolled systems contact AD DCs for authentication
information.
This means you have a pretty good criteria to split SSSD options:
- if they concern LDAP operations towards AD DCs, they apply to IPA
servers
- if they concern authentication done against AD DCs, they apply to all
IPA-enrolled systems
I'm going to try moving the cache timeouts to a master to see if that
helps speed up Ubuntu 20 and 22 clients even more. Right now, the few
Ubuntu 20 clients are faster than before, but they still are much
slower than CentOS, Rocky Linux and AlmaLinux clients.
Cache timeouts are for identity information so they needed on IPA server
side, indeed.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
