On Mon, Dec 08, 2014 at 08:45:00PM +0000, PATRICK wrote:
Sanitized sssd.conf, please note enumerate is set to false and the
all of the users POSIX attributes are still getting pulled down.
[domain/default]
debug_level = 5
enumerate = False
ldap_id_use_start_tls = True
ldap_schema = rfc2307bis
#ldap_search_base = dc=example,dc=com
ldap_search_base = dc=example,dc=com?sub?|(host=myhost.mygroup.example.com)(host=ALL)
krb5_realm =
EXAMPLE.COM
krb5_server =
kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://myldap.example.com:389
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_default_bind_dn = cn=proxyuser,ou=AdminUsers,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = XXXXXXXXXXXX
access_provider=ldap
ldap_access_filter = (|(host=myhost.mygroup.example.com)(host=ALL))
[sssd]
services = nss, pam
config_file_version = 2
debug_level = 5
domains = default
[nss]
debug_level = 5
[pam]
debug_level = 5
You can drop the service stanzas other than [nss] and [pam] since you
only use nss and pam in the services line. Otherwise, the config file
looks good to me.
Do you still see a high load on the servers? Can you check the server
logs about the queries?
Do you use nested groups? Perhaps the queries you see is some
application calling getgrnam/getgrgid on a large group and recursing?
[sudo]
debug_level = 5
[autofs]
debug_level = 5
[ssh]
debug_level = 5
[pac]
debug_level = 5