https://unofficialaciguide.com/2019/07/31/ldap-schemas-for-aci-administrators-rfc2307-vs-rfc2307bis/ "In the RFC2307 compatibility layer, we have no memberOf or anything similar to use for identifying group membership. But we do have the “uid=ldapy” attribute. If we wanted to set ACI policy based on this information, we would have to authenticate the user, grab the UID attribute, then compare it to a specific group’s list of memberUIDs (or search through all groups to find which one has the correct memberUID)."
Ironically, perhaps this is something SambaAD compensates for, which I defined as RFC2307 for our schema, but I see memberOf definitions in my users anyway so the above scenario may not apply. So what is your directory server and if you could check your schema definition and see if there are any memberOf definitions? Or is it a straight uid? On Mon, Jul 21, 2025 at 5:35 PM Christopher Paul via sssd-users < sssd-users@lists.fedorahosted.org> wrote: > Hello sssd-users, > > I'm experiencing severe performance degradation with SSSD when using > ldap_schema=rfc2307bis. User lookups with "id" can take several seconds, > and I believe that I have identified the root cause. > > ## Symptoms: > - SSSD logs: "LDAP operation ... seems slow, took more than 80% of timeout" > - OpenLDAP logs: "deferring operation: pending operations" > - Simple "id username" commands taking 5-10+ seconds (when not cached) > > > ## Root Cause: > When looking up a single user, SSSD appears to be sending individual LDAP > queries for EVERY member of EVERY group the user belongs to. This results > in thousands of near-simultaneous asynchronous LDAP searches. > > OpenLDAP's conn_max_pending/conn_max_pending_auth parameters are correctly > throttling these requests, causing the perceived slowness. > > ## Environment: > - SSSD version: 2.9.6 > - OpenLDAP version: 2.5.20 > > ## Questions: > 1. Why does SSSD need to resolve all group members when looking up a > single user? This should be unnecessary to id a single user. > 2. Can SSSD be configured to return just the group names/GIDs for a user > lookup without also fetching full details of every member in those groups? > 3. Could SSSD batch these queries or use more efficient LDAP operations? > > I've attached my sssd.conf. The key setting is ldap_schema=rfc2307bis. > > This behavior effectively makes rfc2307bis unusable in environments with > large groups. Any guidance would be appreciated. > > Many thanks, > > -- > Chris Paul | Rex Consulting | https://www.rexconsulting.net > > -- > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
