Re: Fedora 34 Change proposal: Remove and deprecate nscd in favour of sssd and systemd-resolved (Self-Contained Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Nov 14, 2020 at 5:11 PM Markus Larsson <qrsbrwn@xxxxxxxxxx> wrote:
>
>
>
> On 5 November 2020 13:58:54 CET, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote:
> >
> >sssd also breaks other LDAP setups, It's extremely broken with larger
> >LDAP setups because it insists on caching *ALL* of the LDAP, barring
> >being able to filter to only a smaller set of the LDAP. But because so
> >many LDAP setups scatter group and user information in so many
> >distinct parts of the LDAP layout, this never works and it *ALWAYS*
> >times out in large, remot4e LDAP setups. It works for a few seconds at
> >start time, then crashes and takes out *all* sssd based services.
>
> I don't share this experience and I run sssd in large environments. Sssd will by default lookup the user authenticating, the groups that user belongs to and all members of those groups.
> Looking up group members is easily turned off and leads to a much smoother experience from what I have seen.
> I still don't think deprecating nscd seems like a reasonable change. Change defaults, well ok. Deprecating, I don't really see why tbh.

Part of the difficulty comes when you only want to see certain LDAP
groups, or permit access only for certain groups. When those groups
are scattered around a poorly organized LDAP layout, it means you need
to cache *all* the relevant OU's. Unless your pipeline to your remote
environment is large, or you have deployed local LDAP servers to
provide a remote mirror, the bulk pre-caching times out and causes all
sssd related daemons to turn off after working for a short period, the
daemons die. This was *nasty* when I observed it a few years ago, I
had to convince the LDAP admins to set up new mirror groups in a much
smaller OU workspace.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux