Hi all. Thanks to everyone for their help so far.
OK, I've been diving into the code today. v1.5.15 tho since it just got released.
(Thu Oct 27 10:17:13 2011) [sssd[be[XXX.XXX.XXX]]]
[sdap_get_generic_step] (6): calling ldap_search_ext with
[(&(msSFU30PosixMember=CN=U999999,OU=MyOU,OU=Users,OU=Accounts,DC=xxx,DC=xxx,DC=xxx)(objectclass=group)(cn=*))][ou=GroupOU,ou=Right
Groups,ou=Groups,dc=xxx,dc=xxx,dc=xxx]. (Thu Oct 27 10:17:13 2011)
^^From my earlier debug output. This query above works out which groups I'm a member
of (and which ones to enumerate).
By slightly modifying the code I have significantly improved my ssh logins time.
If I change this code:
src/providers/ldap/sdap_async_accounts.c (line 4228):
filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*))",
opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_orig_dn,
opts->group_map[SDAP_OC_GROUP].name,
opts->group_map[SDAP_AT_GROUP_NAME].name);
to this:
filter = talloc_asprintf(state,
"(&(%s=%s)(objectclass=%s)(|(%s=group1)(cn=group2)(cn=group3)))",
...
Note I've changed (cn=*) to (|(cn=group1)(cn=group2)(cn=group3)).
My login times go from 28 seconds to 5 seconds on the first login.
So the reason being: I'm a member of 150 groups in AD, but only 2-3 are ever relevant
on the particular machine that I'm logged in to. So having a group list filter like
this reduces the scope of the ldap search significantly. And speeds up the group
enumeration. Handy for organisations with very large directories like mine.
Are these options used anywhere?
ldap_group_search_scope
ldap_group_search_filter
Or maybe an option like this in the config would be useful?
ldap_group_list_filter = group1,group2,group3
Is this something that would be a good contribution for sssd? Even if it's just an
undocumented feature? I could have a crack at it.
Cheers,
Tim.
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related
entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at
suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not
necessarily reflect the view of Suncorp. The content, including attachments, is a
confidential communication between Suncorp and the intended recipient. If you are not the
intended recipient, any use, interference with, disclosure or copying of this e-mail,
including attachments, is unauthorised and expressly prohibited. If you have received this
e-mail in error please contact the sender immediately and delete the e-mail and any
attachments from your system.