Hi,
I just want to check wether the performance of sssd is alright or if there is room for improvement.
I am using a binding account to query the Active Directory. I've configured a nesting level of 1.
When I login the first time or run the id command it takes around 5 secs to finish when the user is member of ~100 (nested) groups in the AD. It takes around 10 secs if the user is member of ~200 (nested) groups.
So you can say the loading time is increasing linearly to the membership of groups.
Unfortunately I need to use a nesting level of 1. I've set group members to false and enumeration off.
Are these values in an acceptable area? What experiences did you make?
Thank you :)
JM
On Thu, 26 Mar 2020, Jannis Mann wrote:
Hi, I just want to check wether the performance of sssd is alright or if there is room for improvement.
I am using a binding account to query the Active Directory. I've configured a nesting level of 1.
When I login the first time or run the id command it takes around 5 secs to finish when the user is member of ~100 (nested) groups in the AD. It takes around 10 secs if the user is member of ~200 (nested) groups.
So you can say the loading time is increasing linearly to the membership of groups.
Unfortunately I need to use a nesting level of 1. I've set group members to false and enumeration off.
Are these values in an acceptable area? What experiences did you make?
ignore_group_members = true
If you're in a situation where you can set this, it makes a massive difference to performance (especially where you have large groups).
I've not retested with newer versions of SSSD, but in the past mounting /var/lib/sss/db as tmpfs made another big performance difference.
We were getting >60 seconds times for an initial login of a user, which would cause timeouts elsewhere. This ends up bringing it down to more like one second for a typical case, and once it's been cached much faster than that.
That was with nesting level 4.
jh
Hi John,
thanks for your input!
Sorry, I've meant ignore_group_members = true
I already read about the tmpfs idea but I worry a little when the vm fails and then one restarts with out a connection to the domain controller the users are not able to login anymore... - at least that is what I am thinking
Am Do., 26. März 2020 um 16:07 Uhr schrieb John Hodrien < J.H.Hodrien@leeds.ac.uk>:
On Thu, 26 Mar 2020, Jannis Mann wrote:
Hi, I just want to check wether the performance of sssd is alright or if
there
is room for improvement.
I am using a binding account to query the Active Directory. I've configured a nesting level of 1.
When I login the first time or run the id command it takes around 5 secs
to
finish when the user is member of ~100 (nested) groups in the AD. It takes around 10 secs if the user is member of ~200 (nested) groups.
So you can say the loading time is increasing linearly to the membership
of
groups.
Unfortunately I need to use a nesting level of 1. I've set group members
to
false and enumeration off.
Are these values in an acceptable area? What experiences did you make?
ignore_group_members = true
If you're in a situation where you can set this, it makes a massive difference to performance (especially where you have large groups).
I've not retested with newer versions of SSSD, but in the past mounting /var/lib/sss/db as tmpfs made another big performance difference.
We were getting >60 seconds times for an initial login of a user, which would cause timeouts elsewhere. This ends up bringing it down to more like one second for a typical case, and once it's been cached much faster than that.
That was with nesting level 4.
jh_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Thu, 26 Mar 2020, Jannis Mann wrote:
Hi John, thanks for your input!
Sorry, I've meant ignore_group_members = true
I already read about the tmpfs idea but I worry a little when the vm fails and then one restarts with out a connection to the domain controller the users are not able to login anymore...
- at least that is what I am thinking
You lose cached credentials by going that route, but I don't think you're likely to see other significant bother. We've not noticed any issues.
ignore_group_members breaks applications that expect to be able to get a list of members of a group, rather than which groups a user is a member of.
jh
I've just mounted /var/lib/sss/db to tmpfs but can't find any improvement of speed tbh
I've set the nesting level to 3 for testing purposes and the user is member of around 400 groups. It still takes around 25 seconds for the initial login, with around the same time when the directory is not mounted to tmpfs
You say it took around 1 second for you with a nesting level of 4? Sounds crazy to me right now :D
Am Do., 26. März 2020 um 16:28 Uhr schrieb John Hodrien < J.H.Hodrien@leeds.ac.uk>:
On Thu, 26 Mar 2020, Jannis Mann wrote:
Hi John, thanks for your input!
Sorry, I've meant ignore_group_members = true
I already read about the tmpfs idea but I worry a little when the vm
fails and then one restarts with out a connection to the domain controller the users are not able to login anymore...
- at least that is what I am thinking
You lose cached credentials by going that route, but I don't think you're likely to see other significant bother. We've not noticed any issues.
ignore_group_members breaks applications that expect to be able to get a list of members of a group, rather than which groups a user is a member of.
jh _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org