On 14 November 2020 23:35:09 CET, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote: >On Sat, Nov 14, 2020 at 5:11 PM Markus Larsson <qrsbrwn@xxxxxxxxxx> wrote: >> >> >> >> On 5 November 2020 13:58:54 CET, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote: >> > >> >sssd also breaks other LDAP setups, It's extremely broken with larger >> >LDAP setups because it insists on caching *ALL* of the LDAP, barring >> >being able to filter to only a smaller set of the LDAP. But because so >> >many LDAP setups scatter group and user information in so many >> >distinct parts of the LDAP layout, this never works and it *ALWAYS* >> >times out in large, remot4e LDAP setups. It works for a few seconds at >> >start time, then crashes and takes out *all* sssd based services. >> >> I don't share this experience and I run sssd in large environments. Sssd will by default lookup the user authenticating, the groups that user belongs to and all members of those groups. >> Looking up group members is easily turned off and leads to a much smoother experience from what I have seen. >> I still don't think deprecating nscd seems like a reasonable change. Change defaults, well ok. Deprecating, I don't really see why tbh. > >Part of the difficulty comes when you only want to see certain LDAP >groups, or permit access only for certain groups. When those groups >are scattered around a poorly organized LDAP layout, it means you need >to cache *all* the relevant OU's. Unless your pipeline to your remote >environment is large, or you have deployed local LDAP servers to >provide a remote mirror, the bulk pre-caching times out and causes all >sssd related daemons to turn off after working for a short period, the >daemons die. This was *nasty* when I observed it a few years ago, I >had to convince the LDAP admins to set up new mirror groups in a much >smaller OU workspace. Sounds like a horrible experience. It seems circumventable by not caching entire OUs though. They way sssd has been used where I have been it has only cached users actually logging in. That's a single setting in sssd.conf that makes all the difference. Not saying you're wrong though, I've just never seen the issue over the years. I have seen early sssd take down an AD domain controller do to aggressively asking for every user but that was many years ago :) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
