On Thu, Jul 20, 2023 at 1:49 PM Johnnie W Adams <jxadams@xxxxxxxx> wrote: > > Hi, folks, > > We're experiencing an odd ten-second delay intermittently when logging > into any of our Linux boxes which authenticate against LDAP. Here's where > it happens: > > Jul 13 11:54:23 console2 sshd[1853]: debug1: temporarily_use_uid: <my > uid\gid> (e=0/0) > > Jul 13 11:54:35 console2 sshd[1853]: debug1: trying public key file <my key > file> > > My assumption is there's something in sssd slowing it down, but I'm > having a heck of a time figuring out what or why. Any guidance would be > greatly appreciated. > > Thanks, > > John A sssd is a pretty aggressively "optimized" tool. It's designed, not to issue LDAP queries, but to pull from a locally stashed copy of the *entire* upstream LDAP directory, or at least enough of the LDAP directory to contain every dolder it may reference. The result can be really nasty when the VPN connection between an internal AD and a cloud environment, especially when it thinks it has to refresh that cache. All of it. Without notice. And crash, if it doesn't succeed within the hard-coded and un-tunable timeout periods. I'm not happy with some of sssd's behavior, especially the head games it plays with systemd about "I'm started, I'm running, I'm allowing logins via SSH, la-la-la-la-la, I failed to cache the full LDAP and now I will crash hard with systemd not noticing and recovering the service". It's an unpleasant problem. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
