search for: ignore_group_members

On 04/12/2016 09:51 AM, James Hogarth wrote: > To the OP enumerate is always painful, I'd remove that for a start. This was my experience too, for what it's worth. When I first set up a new system pointed at LDAP it was absurdly slow to authenticate. Setting Enumerate to False in /etc/sssd/sssd.conf made all the difference.

...the LDAP server. When I did "id user", it took around 20 seconds. I did some debugging, and when the user was not a member of additional groups, it was much faster (5 seconds), but still slow. It seems that for each member of a group, the client did a query to the LDAP server. I put "ignore_group_members = true" in sssd.conf and now it's much faster. Can you try this? Regards,

...etc/ssl/certs/ca-certificates.crt ad_hostname = Server.DOMAIN.COM ad_domain = DOMAIN.COM ldap_id_mapping = true default_shell = /bin/bash ldap_referrals = false # 2019-03-30: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout #ignore_group_members = true ldap_purge_cache_timeout = 0 krb5_auth_timeout = 15 # 2019-04-01: Old config cache_credentials = True ldap_schema = ad Samba Server Logs: [2019/04/30 11:28:20.929897, 3] ../source3/smbd/msdfs.c:1008(get_referred_path) get_referred_path: |...

...ynn krb5_realm = AD.LASTHOME.SOLACE.KRYNN realmd_tags = manages-system joined-with-samba # cache_credentials = True krb5_store_password_if_offline = True ldap_id_mapping = False use_fully_qualified_names = False default_shell = /bin/bash fallback_homedir = /export/home/%u@%d ldap_referrals = False ignore_group_members = True [nss] [pam] ------------------------------------------------------ For realmd, it was only a matter of following the documentation, which resulted in # realm join --automatic-id-mapping=no ad.lasthome.solace.krynn -U administrator [...] # realm list ad.lasthome.solace.krynn type: kerb...