On Thu, May 23, 2013 at 07:59:14AM -0400, Josh Endries wrote:
I would definitely be interested in testing the changes out.
Great, I build the latest 6.4 packages along with the new option to disable range retrievals: http://jhrozek.fedorapeople.org/sssd-range-retrieval/
To disable the range retrieval functionality (and get the same behaviour as in 6.3), put the following directive into your sssd.conf into the domain section:
ldap_disable_range_retrieval = True
and then restart the SSSD. Large groups (>1500 members) should then appear as empty, while small groups should appear as they used to.
I don't think I am running into that ticket exactly; I'm not in one group with that many users that I'm aware of. However, my own account is in over twenty groups, some of which are "all employees" and "all students", so it's a large result set. Ultimately it just means lots and lots of extra look-ups when I just want a list of GIDs/names.
I see, then it might be a completely different issue. I would advise to test the build first and if it doesn't help, then we'd take a look at the debug logs.
Here is my config file. This is mostly from trial and error, Google and man, so it's probably not perfect (but it works):
The config file looks good to me, in general I would just recommend using GSSAPI over password binds: https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20...
The most important part for performance when it comes to AD client is disabling referrals (which you already do).