LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 07-31-2012, 02:04 PM   #1
shingquak
LQ Newbie
 
Registered: Jun 2008
Distribution: RHEL 5
Posts: 3

Rep: Reputation: 0
Unhappy id command seems to query entire ldap server using RHEL6.3 and sssd


I have an issue where the "id" command takes nearly 2 minutes to complete and seems to query the full ldap database, which is greater than 50,000 entries.

I'm guessing I'm missing something in the sssd.conf file, but I can't seem to find out what.

I'm using kerberos for authentication and ldap for authorization all controlled via sssd on RHEL 6.3 Below is the relevant sssd.conf file:

[domain/*****]
debug_level = 6
id_provider = ldap
ldap_id_use_start_tls = False
ldap_search_base = dc=***,dc=***
ldap_uri = ldap://**********
ldap_tls_cacertdir = /etc/openldap/cacerts

auth_provider = krb5
krb5_realm = ************
chpass_provider = none
krb5_server = *********,*********,********
krb5_kpasswd = *********
cache_credentials = False
___________________________________________________________________________________________________
And here is the relevant section my nsswitch.conf file:
passwd: files sss
shadow: files sss
group: files sss

hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files nisplus
____________________________________________________________
Here is a snipit the sssd_domain log file:
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user1))
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[***_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user2))
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user3))
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(nameAlias=user4))
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_users] (0x0400): No such entry
(Tue Jul 31 13:55:10 2012) [sssd[be[****_ldap]]] [sysdb_search_user_by_name] (0x0400): No such entry


Any help would be much appreciated.

Last edited by shingquak; 07-31-2012 at 02:05 PM.
 
Old 08-01-2012, 10:59 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
You're only showing the domain section, can you please show the whole file (sssd.conf) ?
 
Old 08-02-2012, 10:00 AM   #3
shingquak
LQ Newbie
 
Registered: Jun 2008
Distribution: RHEL 5
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks kbp for the reply!

Here is the top portion of the file that I didn't include.


[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LDAP

domains = ****_ldap
[nss]

[pam]

# Example LDAP domain
# [domain/LDAP]
# id_provider = ldap
# auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
# ldap_schema = rfc2307
# ldap_uri = ldap://ldap.mydomain.org
# ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
# enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
# cache_credentials = true

# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.
# [domain/AD]
# id_provider = ldap
# auth_provider = krb5
# chpass_provider = krb5
#
# ldap_uri = ldap://your.ad.example.com
# ldap_search_base = dc=example,dc=com
# ldap_schema = rfc2307bis
# ldap_sasl_mech = GSSAPI
# ldap_user_object_class = user
# ldap_group_object_class = group
# ldap_user_home_directory = unixHomeDirectory
# ldap_user_principal = userPrincipalName
# ldap_account_expire_policy = ad
# ldap_force_upper_case_realm = true
#
# krb5_server = your.ad.example.com
# krb5_realm = EXAMPLE.COM
 
Old 08-03-2012, 07:26 AM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
I posted a script here, it might be worth giving it a try. The admin account filter prevents any old user from logging in, you can modify it to suit or remove it.
 
  


Reply

Tags
kerberos, ldap, rhel 6


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP/SSSD with password policy overlays: possible to completely lock out accounts? btmiller Linux - Server 4 03-26-2013 06:45 AM
Specifying LDAP password format for SSSD in CentOS 6.2 TomL Linux - Enterprise 3 06-27-2012 06:09 AM
rhel6 sssd ldap for authentication and local files for userNumber (unix uid). mwd Linux - Enterprise 1 08-22-2011 07:14 AM
query on ldap server imhere Linux - Newbie 8 08-13-2010 03:25 PM
How can I manually query a ldap server from terminal? randomx Linux - General 2 10-07-2003 01:04 PM


All times are GMT -5. The time now is 04:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration