Am Tue, Nov 30, 2021 at 02:24:34PM -0000 schrieb Robert Wagensveld: > Hi all, > > We've been using SSSD for a while successfully in our Kerberos over > LDAP enterprise environment. However, our SSSD online query time, > especially over VPN, is very poor, usually each login request or sudo > requests takes about 1 minute. There does not seem to be a way around > it, not even forcing SSSD to use the cache for a while even when > online again. entry_cache_timeout does not help. Is there anything > I'm missing? Some configuration options I do not know about yet?
Hi, until recently SSSD unconditionally updated the group-memberships of the user during authentication. With recent versions of SSSD there is the new option pam_initgroups_scheme and SSSD does not update the group-memberships if the related user is already logged in. This should already help for sudo. To speed up the login as well if the user is not already logged in you can set 'pam_initgroups_scheme = never' and SSSD will used cached data as long as the cached data is valid. HTH bye, Sumit > > [sssd] > config_file_version = 2 > services = nss, pam, ifp > domains = company.nl > debug_level = 9 > [nss] > entry_cache_nowait_percentage = 5 > filter_groups = root > filter_users = root > debug_level = 9 > [pam] > offline_failed_login_attempts = 3 > offline_failed_login_delay = 30 > debug_level = 9 > [domain/company.nl] > debug_level = 9 > id_provider = ldap > ignore_group_members = true > auth_provider = krb5 > chpass_provider = krb5 > access_provider = permit > cache_credentials = true > min_id = 1000 > entry_cache_timeout = 28800 > krb5_realm = COMPANY.NL > krb5_canonicalize = false > krb5_renewable_lifetime = 24h > krb5_renew_interval = 6h > krb5_server = dc03.company.nl > krb5_store_password_if_offline = true > krb5_ccname_template = FILE:%d/krb5cc_%U > ldap_uri = ldap://dc03.company.nl > ldap_search_base = DC=Company,DC=nl > ldap_user_search_base = OU=CompanyCompany,DC=nl > ldap_group_search_base = OU=Company,DC=Company,DC=nl?? > ldap_referrals = false > enumerate = false > ldap_force_upper_case_realm = true > ldap_schema = rfc2307bis > ldap_id_use_start_tls = false > ldap_tls_reqcert = demand > ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt > ldap_sasl_canonicalize = true > ldap_sasl_mech = GSSAPI > ldap_user_object_class = user > ldap_user_name = sAMAccountName > ldap_user_uid_number = uidNumber > ldap_user_gid_number = gidNumber > ldap_user_gecos = gecos > ldap_user_shell = loginShell > ldap_user_home_directory = unixHomeDirectory > ldap_user_principal = nonExistingAttribute > ldap_group_object_class = group > ldap_group_name = cn > ldap_group_gid_number = gidNumber > ldap_group_member = member > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
