On Thu, Oct 25, 2012 at 05:43:12AM -0400, Stephen Gallagher wrote:
On 10/24/2012 05:49 PM, Paul B. Henson wrote:
We're working on transitioning from RHEL5 to RHEL6 and have run into a bit of a problem with sssd and our ldap integration.
We have a number of groups with a very large number of members, which took excessively long with nss_ldap to retrieve. We implemented the nss_getgrent_skipmembers feature for nss_ldap, got it accepted into the PADL upstream, talked Red Hat into backporting it, and have been using it for years. Basically, this feature allows you to not request the member attribute for a group lookup, the group shows up with no members. However, for the purposes of initgroups, membership is still taken into account and users belong to the correct groups. This works perfectly for our needs.
Paul, this has been proposed as https://fedorahosted.org/sssd/ticket/1376 which is currently slated for inclusion in SSSD 1.10. You're not the first person to request this functionality, but it just hasn't been implemented yet.
Also, as Dmitri has stated, in the case of initgroups (which can be tested with 'id -G username' SSSD 1.9.x has implemented several very serious performance increases.
Please test with 'id -G' and not just 'id', as the latter doesn't just get the user's group memberships but also retrieves the full contents of each of the groups.
There has also been many performance improvements done during the 1.9 development. I would suggest that you try the 1.9 packages to see if the performance is acceptable for you.