id command seems to query entire ldap server using RHEL6.3 and sssd
I have an issue where the "id" command takes nearly 2 minutes to complete and seems to query the full ldap database, which is greater than 50,000 entries.
I'm guessing I'm missing something in the sssd.conf file, but I can't seem to find out what. I'm using kerberos for authentication and ldap for authorization all controlled via sssd on RHEL 6.3 Below is the relevant sssd.conf file: [domain/*****] debug_level = 6 id_provider = ldap ldap_id_use_start_tls = False ldap_search_base = dc=***,dc=*** ldap_uri = ldap://********** ldap_tls_cacertdir = /etc/openldap/cacerts auth_provider = krb5 krb5_realm = ************ chpass_provider = none krb5_server = *********,*********,******** krb5_kpasswd = ********* cache_credentials = False ___________________________________________________________________________________________________ And here is the relevant section my nsswitch.conf file: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files sss publickey: nisplus automount: files ldap aliases: files nisplus ____________________________________________________________ Here is a snipit the sssd_domain log file: (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user1)) (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry (Tue Jul 31 13:55:10 2012) [sssd[be[***_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user2)) (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user3)) (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user4)) (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry (Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry Any help would be much appreciated. |
You're only showing the domain section, can you please show the whole file (sssd.conf) ?
|
Thanks kbp for the reply!
Here is the top portion of the file that I didn't include. [sssd] config_file_version = 2 services = nss, pam # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LDAP domains = ****_ldap [nss] [pam] # Example LDAP domain # [domain/LDAP] # id_provider = ldap # auth_provider = ldap # ldap_schema can be set to "rfc2307", which stores group member names in the # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in # the "member" attribute. If you do not know this value, ask your LDAP # administrator. # ldap_schema = rfc2307 # ldap_uri = ldap://ldap.mydomain.org # ldap_search_base = dc=mydomain,dc=org # Note that enabling enumeration will have a moderate performance impact. # Consequently, the default value for enumeration is FALSE. # Refer to the sssd.conf man page for full details. # enumerate = false # Allow offline logins by locally storing password hashes (default: false). # cache_credentials = true # An example Active Directory domain. Please note that this configuration # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis # compliant attribute names. To support UNIX clients with AD 2003 or older, # you must install Microsoft Services For Unix and map LDAP attributes onto # msSFU30* attribute names. # [domain/AD] # id_provider = ldap # auth_provider = krb5 # chpass_provider = krb5 # # ldap_uri = ldap://your.ad.example.com # ldap_search_base = dc=example,dc=com # ldap_schema = rfc2307bis # ldap_sasl_mech = GSSAPI # ldap_user_object_class = user # ldap_group_object_class = group # ldap_user_home_directory = unixHomeDirectory # ldap_user_principal = userPrincipalName # ldap_account_expire_policy = ad # ldap_force_upper_case_realm = true # # krb5_server = your.ad.example.com # krb5_realm = EXAMPLE.COM |
I posted a script here, it might be worth giving it a try. The admin account filter prevents any old user from logging in, you can modify it to suit or remove it.
|
All times are GMT -5. The time now is 08:52 PM. |