Sanitized sssd.conf, please note enumerate is set to false and the all of the users POSIX attributes are still getting pulled down. [domain/default] debug_level = 5 enumerate = False ldap_id_use_start_tls = True ldap_schema = rfc2307bis #ldap_search_base = dc=example,dc=com ldap_search_base = dc=example,dc=com?sub?|(host=myhost.mygroup.example.com)(host=ALL) krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://myldap.example.com:389 cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_default_bind_dn = cn=proxyuser,ou=AdminUsers,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = XXXXXXXXXXXX access_provider=ldap ldap_access_filter = (|(host=myhost.mygroup.example.com)(host=ALL))
[sssd] services = nss, pam config_file_version = 2 debug_level = 5 domains = default [nss] debug_level = 5 [pam] debug_level = 5 [sudo] debug_level = 5 [autofs] debug_level = 5 [ssh] debug_level = 5 [pac] debug_level = 5
On Mon, Dec 08, 2014 at 08:45:00PM +0000, PATRICK wrote:
Sanitized sssd.conf, please note enumerate is set to false and the all of the users POSIX attributes are still getting pulled down. [domain/default] debug_level = 5 enumerate = False ldap_id_use_start_tls = True ldap_schema = rfc2307bis #ldap_search_base = dc=example,dc=com ldap_search_base = dc=example,dc=com?sub?|(host=myhost.mygroup.example.com)(host=ALL) krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://myldap.example.com:389 cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_default_bind_dn = cn=proxyuser,ou=AdminUsers,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = XXXXXXXXXXXX access_provider=ldap ldap_access_filter = (|(host=myhost.mygroup.example.com)(host=ALL))
[sssd] services = nss, pam config_file_version = 2 debug_level = 5 domains = default [nss] debug_level = 5 [pam] debug_level = 5
You can drop the service stanzas other than [nss] and [pam] since you only use nss and pam in the services line. Otherwise, the config file looks good to me.
Do you still see a high load on the servers? Can you check the server logs about the queries?
Do you use nested groups? Perhaps the queries you see is some application calling getgrnam/getgrgid on a large group and recursing?
[sudo] debug_level = 5 [autofs] debug_level = 5 [ssh] debug_level = 5 [pac] debug_level = 5
We will drop the other stanzas and retest shortly. We are not using nested groups and we already discussed switching to rfc2307 from rfc2307bis. The txnlogs on the DSEE instance see a authenticated bind, nothing out of the normal. The server has no readwaiters, minimal connections.
thanks! Pat
----- Original Message -----
From: "Jakub Hrozek" jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, December 9, 2014 9:30:04 AM Subject: Re: [SSSD-users] SSSD with Oracle DSEE
On Mon, Dec 08, 2014 at 08:45:00PM +0000, PATRICK wrote:
Sanitized sssd.conf, please note enumerate is set to false and the all of the users POSIX attributes are still getting pulled down. [domain/default] debug_level = 5 enumerate = False ldap_id_use_start_tls = True ldap_schema = rfc2307bis #ldap_search_base = dc=example,dc=com ldap_search_base = dc=example,dc=com?sub?|(host=myhost.mygroup.example.com)(host=ALL) krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://myldap.example.com:389 cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_default_bind_dn = cn=proxyuser,ou=AdminUsers,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = XXXXXXXXXXXX access_provider=ldap ldap_access_filter = (|(host=myhost.mygroup.example.com)(host=ALL))
[sssd] services = nss, pam config_file_version = 2 debug_level = 5 domains = default [nss] debug_level = 5 [pam] debug_level = 5
You can drop the service stanzas other than [nss] and [pam] since you only use nss and pam in the services line. Otherwise, the config file looks good to me.
Do you still see a high load on the servers? Can you check the server logs about the queries?
Do you use nested groups? Perhaps the queries you see is some application calling getgrnam/getgrgid on a large group and recursing?
[sudo] debug_level = 5 [autofs] debug_level = 5 [ssh] debug_level = 5 [pac] debug_level = 5
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Dec 09, 2014 at 05:57:18PM +0000, PATRICK wrote:
We will drop the other stanzas and retest shortly. We are not using nested groups and we already discussed switching to rfc2307 from rfc2307bis. The txnlogs on the DSEE instance see a authenticated bind, nothing out of the normal. The server has no readwaiters, minimal connections.
thanks! Pat
Ah, I'm sorry, you originally said you were seeing long connection times, not large load on the servers...
Do you also see a long connection time of you search the server with ldapsearch?
ldapsearch returns quickly. The initial bind succeeds quickly. It looks at though sssd is trying to populate all the users POSIX attributes into it's db. When we create a test user with no host attributes, the bind and authentication completes in ms, versus a user with many host attributes takes 30+ seconds.
----- Original Message -----
From: "Jakub Hrozek" jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, December 9, 2014 10:24:39 AM Subject: Re: [SSSD-users] SSSD with Oracle DSEE
On Tue, Dec 09, 2014 at 05:57:18PM +0000, PATRICK wrote:
We will drop the other stanzas and retest shortly. We are not using nested groups and we already discussed switching to rfc2307 from rfc2307bis. The txnlogs on the DSEE instance see a authenticated bind, nothing out of the normal. The server has no readwaiters, minimal connections.
thanks! Pat
Ah, I'm sorry, you originally said you were seeing long connection times, not large load on the servers...
Do you also see a long connection time of you search the server with ldapsearch? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Dec 09, 2014 at 06:29:08PM +0000, PATRICK wrote:
ldapsearch returns quickly. The initial bind succeeds quickly. It looks at though sssd is trying to populate all the users POSIX attributes into it's db. When we create a test user with no host attributes, the bind and authentication completes in ms, versus a user with many host attributes takes 30+ seconds.
Did you check out the SSSD logs to see what might be taking so long?
----- Original Message -----
From: "Jakub Hrozek" jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, December 9, 2014 10:24:39 AM Subject: Re: [SSSD-users] SSSD with Oracle DSEE
On Tue, Dec 09, 2014 at 05:57:18PM +0000, PATRICK wrote:
We will drop the other stanzas and retest shortly. We are not using nested groups and we already discussed switching to rfc2307 from rfc2307bis. The txnlogs on the DSEE instance see a authenticated bind, nothing out of the normal. The server has no readwaiters, minimal connections.
thanks! Pat
Ah, I'm sorry, you originally said you were seeing long connection times, not large load on the servers...
Do you also see a long connection time of you search the server with ldapsearch? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
I am finding some name resolution issues and trying to perform AAAA queries. I will disable all IPV6 and add the ldap servers to the local host file. Will update with results. I do not think this is the primary issue, but maybe a contributing factor.
----- Original Message -----
From: "Jakub Hrozek" jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, December 9, 2014 11:06:10 AM Subject: Re: [SSSD-users] SSSD with Oracle DSEE
On Tue, Dec 09, 2014 at 06:29:08PM +0000, PATRICK wrote:
ldapsearch returns quickly. The initial bind succeeds quickly. It looks at though sssd is trying to populate all the users POSIX attributes into it's db. When we create a test user with no host attributes, the bind and authentication completes in ms, versus a user with many host attributes takes 30+ seconds.
Did you check out the SSSD logs to see what might be taking so long?
----- Original Message -----
From: "Jakub Hrozek" jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Sent: Tuesday, December 9, 2014 10:24:39 AM Subject: Re: [SSSD-users] SSSD with Oracle DSEE
On Tue, Dec 09, 2014 at 05:57:18PM +0000, PATRICK wrote:
We will drop the other stanzas and retest shortly. We are not using nested groups and we already discussed switching to rfc2307 from rfc2307bis. The txnlogs on the DSEE instance see a authenticated bind, nothing out of the normal. The server has no readwaiters, minimal connections.
thanks! Pat
Ah, I'm sorry, you originally said you were seeing long connection times, not large load on the servers...
Do you also see a long connection time of you search the server with ldapsearch? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
PATRICK