[SSSD-users]Re: SSSD with rfc2307bis causes thousands of concurrent LDAP queries, triggering OpenLDAP flow control

Wed, 23 Jul 2025 09:22:21 -0700 

On 7/23/2025 2:44 AM, Sumit Bose wrote:


Btw, I think the original question was not about the large number of
requests in general but that SSSD is sending those in parallel (sending
the next request before a reply for the previous was received). This is
indeed unexpected and comes most probably from
`sdap_process_group_members_2307bis()`
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_SSSD_sssd_blob_master_src_providers_ldap_sdap-5Fasync-5Fgroups.c-23L1382&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=kNfe78trlDa8qcpE6Krv-hqja3H7VlB9J4LBxzcpgL8&m=eUgFYfb2uce4BeT-EaQDaOKj2UtPxr01SLOTMvJAk1VeEZNjkOukKarwjjKW_P6r&s=eZMrQ_5_iR7f4Y04KJc4LrK-FR7bq2MbeMkGmRn353g&e=
As you can see there is a loop which calls
`sdap_process_missing_member_2307bis()` for every group missing in the
cache which sends an asynchronous LDAP search without waiting for a
reply. This should most probably be handled differently to not overload
and LDAP server. Can you open an issue on github for this?

bye,
Sumit


Hi Sumit,
Yes, and thank you. That is my concern. I have submitted https://github.com/SSSD/sssd/issues/8047. I have added to the problem report a suggestion to consider: "Instead of sending many hundreds or thousands of individual lookups for each user, why not send batched queries using OR filters for groups of users. There must be a sweet spot of batch size to reduce the number of round trips but also not exceed MTU or other limitations." I'm not sure that's possible or not in this situation, but it seems like it may be more efficient if possible. 

Many thanks,

--
Chris Paul | Rex Consulting |https://www.rexconsulting.net





-- 
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to