Re: slow login with sssd and ldap config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/10/2010 05:09 PM, Eric Doutreleau wrote:
> thanks for your answer
> well i have the problem when i don't set up
> ldap_user_search_base and
> ldap_group_search_base
> but i discovered that ou=Groups,dc=int-evry,dc=fr contains nothing
> our posix group are elsewhere
> and when i put ldap_group_search_base with the good value i have the 
> problem again
> i guess i have to talk to the ldap guy to see if the data are correctly 
> indexed.
> do u know what i should index on group?
> 
> Le 10/06/2010 13:12, Stephen Gallagher a écrit :
>> On 06/10/2010 05:50 AM, Eric Doutreleau wrote:
>>> ahhh i took a day to write the mail and i found the solution 5 minutes
>>> just after write the mail
>>>
>>> i add
>>> ldap_group_search_base = ou=Groups,dc=int-evry,dc=fr
>>> and it s far faster
>>>
>>> sorry to have disturbed
>>>
>>
>> Hmm, this shouldn't have had a direct effect. If unspecified,
>> ldap_group_search_base should default to being the same as
>> ldap_search_base. Unless your LDAP server is incredibly large (and no
>> indexing is being performed), setting this should not have a measurable
>> effect. The primary purpose for this option is for LDAP deployments
>> where users and groups are in vastly disparate sections of the tree.
>>
>> I'm more concerned that there's a bug in our processing when only one of
>> the two options is specified. I'm CCing one of our upstream QE engineers
>> to try and reproduce your original performance issue. I think you may
>> have found a bug here.
>>
>> Eric, if you would also be willing to try it, I'm curious if you still
>> see this problem with only ldap_search_base specified (without
>> ldap_user_search_base and ldap_group_search_base)
>>
>>
>>


Hi Eric,

I was unable to reproduce this issue on my test bed.
My test is as follows:

OS: Fedora release 13 (Goddard)
Version: sssd-1.2.0-12.fc13.x86_64 & nss-pam-ldapd-0.7.6-2.fc13.x86_64

Method:
1. Configured sssd.conf as:
[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam
domains = default

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/default]
ldap_id_use_start_tls = False
ldap_tls_reqcert = never
cache_credentials = True
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=People,dc=example,dc=com
chpass_provider = none
id_provider = ldap
auth_provider = ldap
debug_level = 9
min_id = 1
ldap_uri = ldap://ldap.server.hostname.com:389
ldap_schema = rfc2307
ldap_default_bind_dn = uid=puser1,ou=People,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = Secret123
enumerate = False

2. Login with a valid user name and password.
3. Initial authentication takes ~12 seconds.
4. Tried with both ldap_user_search_base & ldap_group_search_base.
5. Tried with just ldap_group_search_base.

Did I miss anything important?

Thanks
-- 
Gowrishankar Rajaiyan <gsr@xxxxxxxxxx>
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux