[SSSD-users]Re: SSSD with rfc2307bis causes thousands of concurrent LDAP queries, triggering OpenLDAP flow control

Mon, 21 Jul 2025 17:53:55 -0700 

On Mon, 2025-07-21 at 17:17 -0700, Christopher Paul via sssd-users
wrote:
>  
> Hello sssd-users,
>  
>  I'm experiencing severe performance degradation with SSSD when using
> ldap_schema=rfc2307bis. User lookups with "id" can take several
> seconds, and I believe that I have identified the root cause.
>  
>  ## Symptoms:
>  - SSSD logs: "LDAP operation ... seems slow, took more than 80% of
> timeout"
>  - OpenLDAP logs: "deferring operation: pending operations"
>  - Simple "id username" commands taking 5-10+ seconds (when not
> cached) 
>  
> 
>  ## Root Cause:
>  When looking up a single user, SSSD appears to be sending individual
> LDAP queries for EVERY member of EVERY group the user belongs to.
> This results in thousands of near-simultaneous asynchronous LDAP
> searches.
>  
>  OpenLDAP's conn_max_pending/conn_max_pending_auth parameters are
> correctly throttling these requests, causing the perceived slowness.
>  
>  ## Environment:
>  - SSSD version: 2.9.6
>  - OpenLDAP version: 2.5.20
>  
>  ## Questions:
>  1. Why does SSSD need to resolve all group members when looking up a
> single user? This should be unnecessary to id a single user.
>  2. Can SSSD be configured to return just the group names/GIDs for a
> user lookup without also fetching full details of every member in
> those groups?
>  3. Could SSSD batch these queries or use more efficient LDAP
> operations?
>  
>  I've attached my sssd.conf. The key setting is
> ldap_schema=rfc2307bis.
>  
>  This behavior effectively makes rfc2307bis unusable in environments
> with large groups. Any guidance would be appreciated.

This is a common topic covered throughout the sssd mail archives. 
Configure your client to not enumerate groups by adding the following
to your sssd.conf.

enumerate = false

from man sssd.conf:

enabling enumeration is not
           recommended, especially in large environments.

Consider it a win for confidentiality.

Mark
-- 
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to