We have a large AD environment, which our IdM / FreeIPA servers authenticate users out
of.
The issue I'm trying to address is that it takes a very long time (upwards of 15-20+
seconds) to get a shell on any IdM client server.
Our IdM servers are RHEL 7 boxes, using RHEL repositories:
Installed Packages
Name : ipa-server
Arch : x86_64
Version : 4.6.5
Release : 11.el7_7.4
When I ssh, it takes about that long before it even prompts me for my username.
Then it takes a few more seconds to authenticate me after I type in my password.
I have worked through the documents at
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-larg...
and
https://access.redhat.com/articles/2133801 (which seem to be mostly word-for-word the
same article).
I have implemented the recommended settings onto the IdM servers, namely, the following is
now in the IdM server's sssd.conf file:
[domain/domname]
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
This seems to have fixed the delays I noticed whenever I would run "id
my-user(a)mydomain.com" from any server enrolled in IdM.
The "id" command now seems to be very snappy, and responds almost immediately.
However, it still takes the same 15-20 seconds+ to get a shell on an IdM client.
Reading the above article(s) on what to do with the client, I'm concerned that the
recommended changes won't fix my underlying issue.
The articles recommend adding the following to the client's sssd.conf file:
[pam]
pam_id_timeout = N
[domain/domname]
krb5_auth_timeout = N
I've made the recommended changes to 1 of my clients, but it is still seeing a
significant delay.
So, the issue I'm trying to address is the time it takes to login.
It would seem to me that the above options don't actually address the "time to
login" issue.
Any additional suggestions on this?