LinuxQuestions.org - id command seems to query entire ldap server using RHEL6.3 and sssd

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - id command seems to query entire ldap server using RHEL6.3 and sssd (https://www.linuxquestions.org/questions/linux-software-2/id-command-seems-to-query-entire-ldap-server-using-rhel6-3-and-sssd-4175419599/)

id command seems to query entire ldap server using RHEL6.3 and sssd

I have an issue where the "id" command takes nearly 2 minutes to complete and seems to query the full ldap database, which is greater than 50,000 entries.

I'm guessing I'm missing something in the sssd.conf file, but I can't seem to find out what.

I'm using kerberos for authentication and ldap for authorization all controlled via sssd on RHEL 6.3 Below is the relevant sssd.conf file:

[domain/*****]
debug_level = 6
id_provider = ldap
ldap_id_use_start_tls = False
ldap_search_base = dc=***,dc=***
ldap_uri = ldap://**********
ldap_tls_cacertdir = /etc/openldap/cacerts

auth_provider = krb5
krb5_realm = ************
chpass_provider = none
krb5_server = *********,*********,********
krb5_kpasswd = *********
cache_credentials = False
___________________________________________________________________________________________________
And here is the relevant section my nsswitch.conf file:
passwd: files sss
shadow: files sss
group: files sss

hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files nisplus
____________________________________________________________
Here is a snipit the sssd_domain log file:
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user1))
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[***_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user2))
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user3))
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user4))
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry

Any help would be much appreciated.

You're only showing the domain section, can you please show the whole file (sssd.conf) ?

Thanks kbp for the reply!

Here is the top portion of the file that I didn't include.

[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LDAP

domains = ****_ldap
[nss]

[pam]

# Example LDAP domain
# [domain/LDAP]
# id_provider = ldap
# auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
# ldap_schema = rfc2307
# ldap_uri = ldap://ldap.mydomain.org
# ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
# enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
# cache_credentials = true

# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.
# [domain/AD]
# id_provider = ldap
# auth_provider = krb5
# chpass_provider = krb5
#
# ldap_uri = ldap://your.ad.example.com
# ldap_search_base = dc=example,dc=com
# ldap_schema = rfc2307bis
# ldap_sasl_mech = GSSAPI
# ldap_user_object_class = user
# ldap_group_object_class = group
# ldap_user_home_directory = unixHomeDirectory
# ldap_user_principal = userPrincipalName
# ldap_account_expire_policy = ad
# ldap_force_upper_case_realm = true
#
# krb5_server = your.ad.example.com
# krb5_realm = EXAMPLE.COM

I posted a script here, it might be worth giving it a try. The admin account filter prevents any old user from logging in, you can modify it to suit or remove it.