On 04/12/2016 09:51 AM, James Hogarth wrote:> To the OP enumerate is always painful, I'd remove that for a start.This was my experience too, for what it's worth. When I first set up a new system pointed at LDAP it was absurdly slow to authenticate. Setting Enumerate to False in /etc/sssd/sssd.conf made all the difference.
On 4/12/2016 7:56 PM, David Nelson wrote:> On 04/12/2016 09:51 AM, James Hogarth wrote: >> To the OP enumerate is always painful, I'd remove that for a start. > > This was my experience too, for what it's worth. When I first set up a > new system pointed at LDAP it was absurdly slow to authenticate. Setting > Enumerate to False in /etc/sssd/sssd.conf made all the difference.Hello, I had similar problem recently with Centos6 machine, which was in another country and had ~100ms latency to the LDAP server. When I did "id user", it took around 20 seconds. I did some debugging, and when the user was not a member of additional groups, it was much faster (5 seconds), but still slow. It seems that for each member of a group, the client did a query to the LDAP server. I put "ignore_group_members = true" in sssd.conf and now it's much faster. Can you try this? Regards,
On 4/12/16 12:15 PM, Todor Petkov wrote:> > On 4/12/2016 7:56 PM, David Nelson wrote: >> On 04/12/2016 09:51 AM, James Hogarth wrote: >>> To the OP enumerate is always painful, I'd remove that for a start. >> This was my experience too, for what it's worth. When I first set up a >> new system pointed at LDAP it was absurdly slow to authenticate. Setting >> Enumerate to False in /etc/sssd/sssd.conf made all the difference. > Hello, > > I had similar problem recently with Centos6 machine, which was in > another country and had ~100ms latency to the LDAP server. > When I did "id user", it took around 20 seconds. I did some debugging, > and when the user was not a member of additional groups, it was much > faster (5 seconds), but still slow. > It seems that for each member of a group, the client did a query to the > LDAP server. I put "ignore_group_members = true" in sssd.conf and now > it's much faster. Can you try this? > > Regards,In my particular case the server is already widely used so I'm not in a good position to test it. But next time I have to set up a new system that authenticates against LDAP, I'll be sure to do that!
W dniu 12.04.2016 o 18:56, David Nelson pisze:> On 04/12/2016 09:51 AM, James Hogarth wrote: >> To the OP enumerate is always painful, I'd remove that for a start. > This was my experience too, for what it's worth. When I first set up a > new system pointed at LDAP it was absurdly slow to authenticate. Setting > Enumerate to False in /etc/sssd/sssd.conf made all the difference.At the beginning it was off. I've turned it on hoping it will eventually speed up authentication. With no success. -- Over And Out MoonWolf