On 29 Jun 2018, at 16:12, Chris Dagdigian via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
At long last I've got a brand new IPA cluster running in our AWS footprint with a
modern v4.5.4 install and a proper AD Trust in place to a complex domain forest
In my older cluster I made use of a lot of the info here that Alexander and Jakob had
written up:
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-larg...
Just wanted to check and see if the advice in that post still holds true for
ipa-server-4.5.4-10 etc. -- is there anything I should avoid or anything new (links, blog
posts, URLs) that I should read up on to tune v4.5.4?
I’ve been planning to update the post for some time but haven’t found the time so far.
tl;dr it might be a good idea to:
1) increase the negative cache timeout for SSSD on the IPA masters to avoid repeated
lookups in mutliple domains. Currently we don’t optimize lookups well enough in cases
where we could infer the right domain from some properties of the input, e.g. given an ID
we could figure out which domain this ID belongs to based on the ID ranges and only ask
that domain. Increasing the negative timeout sort of works around this, because if some
input ID (or name, or SID, ..) is not found in that domain, it is negatively cached and
the negative reply is quite fast.
2) Make use of the cache_first=true option of SSSD on the IPA masters. Again, this avoids
asking the wrong domains, because if some entry is cached, its domain is queried first and
all other preceding domains might be skipped.
Both options obviously are a trade-off, but I’ve seen some users and customers be quite a
bit happier about performance after employing them.
HTH