Hello sssd-users,
I'm experiencing severe performance degradation with SSSD when using
ldap_schema=rfc2307bis. User lookups with "id" can take several seconds,
and I believe that I have identified the root cause.
## Symptoms:
- SSSD logs: "LDAP operation ... seems slow, took more than 80% of timeout"
- OpenLDAP logs: "deferring operation: pending operations"
- Simple "id username" commands taking 5-10+ seconds (when not cached)
## Root Cause:
When looking up a single user, SSSD appears to be sending individual
LDAP queries for EVERY member of EVERY group the user belongs to. This
results in thousands of near-simultaneous asynchronous LDAP searches.
OpenLDAP's conn_max_pending/conn_max_pending_auth parameters are
correctly throttling these requests, causing the perceived slowness.
## Environment:
- SSSD version: 2.9.6
- OpenLDAP version: 2.5.20
## Questions:
1. Why does SSSD need to resolve all group members when looking up a
single user? This should be unnecessary to id a single user.
2. Can SSSD be configured to return just the group names/GIDs for a user
lookup without also fetching full details of every member in those groups?
3. Could SSSD batch these queries or use more efficient LDAP operations?
I've attached my sssd.conf. The key setting is ldap_schema=rfc2307bis.
This behavior effectively makes rfc2307bis unusable in environments with
large groups. Any guidance would be appreciated.
Many thanks,
--
Chris Paul | Rex Consulting |https://www.rexconsulting.net
[sssd]
domains = rexconsulting.net
user = sssd
services = nss, pam
config_file_version = 2
[nss]
filter_groups = root
filter_users = root
[pam]
offline_credentials_expiration = 3
[domain/rexconsulting.net]
id_provider = ldap
auth_provider = ldap
sudo_provider = None
ldap_uri = ldaps://ldap.lab.rexconsulting.net
ldap_default_bind_dn = cn=sssd_admin,dc=lab,dc=rexconsulting,dc=net
ldap_default_authtok = REDACT
ldap_search_base = dc=rexconsulting,dc=net
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/tls/cacerts/
ldap_schema = rfc2307bis
ldap_connection_expire_timeout = 3600
ldap_connection_idle_timeout = 0
cache_credentials = true
enumerate = false
ldap_enumeration_refresh_timeout = 900
ldap_purge_cache_timeout = 3600
ldap_disable_paging = true
timeout = 60
ldap_group_nesting_level = 0
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
