Nico Kadel-Garcia wrote: > On Thu, Jul 20, 2023 at 1:49 PM Johnnie W Adams <jxadams@xxxxxxxx> wrote: >> >> Hi, folks, >> >> We're experiencing an odd ten-second delay intermittently when logging >> into any of our Linux boxes which authenticate against LDAP. Here's where >> it happens: >> >> Jul 13 11:54:23 console2 sshd[1853]: debug1: temporarily_use_uid: <my >> uid\gid> (e=0/0) >> >> Jul 13 11:54:35 console2 sshd[1853]: debug1: trying public key file <my key >> file> >> >> My assumption is there's something in sssd slowing it down, but I'm >> having a heck of a time figuring out what or why. Any guidance would be >> greatly appreciated. >> >> Thanks, >> >> John A > > sssd is a pretty aggressively "optimized" tool. It's designed, not to > issue LDAP queries, but to pull from a locally stashed copy of the > *entire* upstream LDAP directory, or at least enough of the LDAP > directory to contain every dolder it may reference. The result can be > really nasty when the VPN connection between an internal AD and a > cloud environment, especially when it thinks it has to refresh that > cache. All of it. Without notice. And crash, if it doesn't succeed > within the hard-coded and un-tunable timeout periods. > > I'm not happy with some of sssd's behavior, especially the head games > it plays with systemd about "I'm started, I'm running, I'm allowing > logins via SSH, la-la-la-la-la, I failed to cache the full LDAP and > now I will crash hard with systemd not noticing and recovering the > service". It's an unpleasant problem. Sounds like you'd be better off using nslcd. And if you want caching of the LDAP info, use a local OpenLDAP slapd with slapo-pcache instead, which has all cache refresh/expiration/etc intervals fully configurable. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
