sgall...@redhat.com wrote:
On Wed, 2012-06-27 at 13:18 -0400, Mark London wrote:
Hi - We are running SSSD with LDAP at our site, where we have several
hundred users. LDAP is being served by our Windows domain server.
With entry_cache_timeout set to a short value, when someone does an
operation that requires information for multiple users, i.e. listing the
owners of all of the user's home directories via the command "ls -l
/home", this will take many many minutes to complete. Of course, this
happens, because an LDAP request has to be issued for each user, and
then stored in the database. Further similar operations will complete
quickly, during the entry_cache_timeout period. But such operations do
not occur that frequent enough for the data to be kept in the cache.
The only solution seems to be sto imply increase entry_cache_timeout to
a very large value. Of course, this is not ideal, because changes to
the ldap entries will not be seen for a long time. A kludge workaround,
would be to keep a low timeout, and have a cron job that runs the
command "ls -l /home" every 5 minutes, on each workstation.
Is there a more elegant way to solve this problem? Thanks. - Mark
If this action is a very common one (listing all of /home), then in your
particular environment you will probably want to set 'enumerate = True'
in the [domain/DOMAINNAME] section of sssd.conf.
What this does is instruct SSSD to poll for cache updates on a regular
basis and store cached information about all users and groups at alltimes.
Hi - We have enumerate turned on and it works great when SSSD is
started, as "ls -l /home" returns immediately. However, that's not the
case, no matter what I set ldap_enumeration_refresh_timeout. I.e. After
I received your email, I thought maybe that the enumeration data was
being cleared out of the cache somehow. So I tried setting the
ldap_enumeration_refresh_timeout to much less than entry_cache_timeout.
Should that prevent the cached entries from ever timing out? In any
event, it doesn't appear to work. "ls - /home" still takes a long time
and triggers requests.
(Thu Jun 28 08:04:06 2012) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'hereiam' matched without domain, user is hereiam
(Thu Jun 28 08:04:06 2012) [sssd[nss]] [nss_cmd_getpwnam_cb] (0x0400):
Requesting info for [hereiam] from [<ALL>]
(Thu Jun 28 08:04:06 2012) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/PSFC/hereiam]
(Thu Jun 28 08:04:06 2012) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0100): Requesting info for [hereiam@PSFC]
Here's our sssd.conf. Thanks for any help. - Mark
[sssd]
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LOCAL,LDAP
domains = PSFC
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system
accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0
# The entry_cache_timeout indicates the number of seconds to retain an
# entry in cache before it is considered stale and must block to refresh.
# The entry_cache_nowait_timeout indicates the number of seconds to
# wait before updating the cache out-of-band. (NSS requests will still
# be returned from cache until the full entry_cache_timeout). Setting this
# value to 0 turns this feature off (default).
; entry_cache_timeout = 600
; entry_cache_nowait_timeout = 300
[pam]
reconnection_retries = 3
debug_level = 0
[domain/PSFC]
description = LDAP domain with AD server
enumerate = true
min_id = 501
cache_credentials = true
entry_cache_timeout = 600
debug_level = 0
ldap_enumeration_refresh_timeout = 120
id_provider = ldap
chpass_provider = none
auth_provider = ldap
ldap_uri = _srv_,ldaps://198.125.180.133
ldap_tls_cacertdir = /etc/openldap/cacerts
#ldap_tls_cacert = /etc/openldap/cacerts/test.cer
ldap_schema = rfc2307bis
ldap_search_base = dc=psfc,dc=mit,dc=edu
ldap_user_search_base = dc=psfc,dc=mit,dc=edu
ldap_group_search_base = dc=psfc,dc=mit,dc=edu
ldap_default_bind_dn = CN=ADldapreadonly,OU=Computer Group,OU=PSFC
Users,DC=psfc,DC=mit,DC=edu
ldap_default_authtok_type = password
ldap_default_authtok = ldapread
#ldap_pwd_policy = none
ldap_user_object_class = person
ldap_user_name = sAMAccountName
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_member = msSFU30PosixMember
ldap_user_member_of = msSFU30PosixMemberOf
ldap_group_name = name
ldap_group_gid_number = msSFU30GidNumber
ldap_force_upper_case_realm = True
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
