> I'm not sure if artificially trimming the group list is a
good idea.
> It wouldn't work for everyone and I would be wary of breaking access
> control mechanisms.
Noted. And yes I agree this (non-mandatory) config option wouldn't be useful for
everyone, it's just something
that fixes my particular problem (reduces ssh login times from 30 seconds to <5).
I may have to write my own patch and apply it to the SRPM as each official version of
SSSD is released. It won't be
supported by Red Hat obviously but my users won't be complaining about slow login
times anymore. So partial win. :)
Just thought I'd contribute my results in case this helps with your investigation of
the larger problem. I assume there are other organisations with huge AD/LDAP directories
that are having similar issues with ssh authentication times.
I've finished my local patch and added a config option called:
ldap_rfc2307bis_initgroups_filter
If not specified, sssd just reverts to normal behaviour (cn=*) during the initgroups
run.
With no ldap_rfc2307bis_initgroups_filter:
# time ssh myhost groups
xxxxdm xxxxdef xxxxgmt xxxx002 xxxx003 xxxxp xxxx001 xxxx002 xxxxt xxxxp xxxxange xxxxra
xxxxb2 xxxxp xxxxd xxxxt xxxxp xxxxp xxxxp xxxxp xxxxd xxxxd xxxxp xxxxd xxxxd xxxxd xxxxp
xxxxp xxxxd xxxxd xxxxp xxxxt xxxxd xxxxlemr xxxxp xxxxd xxxxp xxxxp xxxxd xxxxt xxxxd
xxxxp xxxxd xxxxd xxxxt xxxxp xxxxt xxxxp xxxxd xxxxd xxxxt xxxxp xxxxd xxxxu xxxxp xxxxp
xxxxp xxxxp xxxxd xxxxp xxxxp xxxxu xxxxp xxxxp xxxxt xxxxp xxxxd xxxxd xxxxt xxxxp xxxxd
xxxxt xxxxt xxxxd xxxxt xxxxp xxxxp xxxxi xxxxd xxxxd xxxxp xxxxd xxxxp xxxxp xxxxd xxxxd
xxxxp xxxxp xxxxd xxxxp xxxxd xxxxp xxxxd xxxxp xxxxp xxxxp xxxxp xxxxd xxxxd xxxxd xxxxd
xxxxp xxxxp xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd
xxxxd xxxxp xxxxp xxxxd xxxxp xxxxd xxxxd xxxxp xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxd
xxxxd xxxxd xxxxd xxxxd xxxxd xxxxd xxxxp xxxxd xxxxd xxxxp xxxxt xxxxp xxxxd xxxxd xxxxp
xxxxd xxxxd xxxxd xxxxp xxxxd xxxxd
real 0m48.47s
user 0m0.15s
sys 0m0.02s
With ldap_rfc2307bis_initgroups_filter = (|(cn=xxxrd)(cn=xxxxp)(cn=xxxxd))
# time ssh myhost groups
xxxxdm xxxxgmt xxxxd xxxxp xxxxd
real 0m5.11s
user 0m0.15s
sys 0m0.03s
This hack will have to do until a better solution is found. I'm hoping the fixes
coming in 1.7.0 will do the trick. :)
Thanks to everyone who helped me get to this point.
Best regards,
Tim Gollschewsky.
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related
entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at
suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not
necessarily reflect the view of Suncorp. The content, including attachments, is a
confidential communication between Suncorp and the intended recipient. If you are not the
intended recipient, any use, interference with, disclosure or copying of this e-mail,
including attachments, is unauthorised and expressly prohibited. If you have received this
e-mail in error please contact the sender immediately and delete the e-mail and any
attachments from your system.