Skip to content

Commit

Permalink
TROUBLESHOOTING: Performance tuning in sssd
Browse files Browse the repository at this point in the history 
This page will describe the performance related issues in sssd and how
to troubleshoot those issues.
  • Loading branch information
@Roy214
Roy214 committed Aug 21, 2023
1 parent bb6c855 commit 78de7b8
Showing 1 changed file with 23 additions and 0 deletions.
23 changes: 23 additions & 0 deletions src/troubleshooting/performance.rst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
Performance tuning SSSD
#######################

Slow id lookup
**************
This has been noticed id lookup become slow if the LDAP/AD user is a member of large groups say for example user is a member of 300+ groups. ``id`` is very heavy. ``id`` does a lot under its hood.
Behind the scenes, when the 'id $user' command is executed it triggers the following:

- Get user information - getpwnam() for the user

- Get primary group information - getgrgid() for the primary group of the user

- Get list of groups - getgrouplist() for the user

- Get group information for each group returned from step 3 - getgrid() for all GIDs returned from getgrouplist() call.

We need to identify out of the above 4 steps which step is actually slow. In order to collect detailed infromation we need to add ``debug_level = 9`` under the ``[$domain]`` section of the ``/etc/sssd/sssd.conf`` followed by a ``sssd`` restart. We often noticed step 4 is the step where sssd takes most of its time because the most data-intensive operation is downloading the groups including their members and by default this feature is enabled we can turn this off by setting ``ignore_group_members = true``.
Usually, we are interested in what groups a user is a member of (id aduser@ad_domain) as the initial step rather than what members do specific groups include (getent group adgroup@ad_domain). Setting the ignore_group_members option to True makes all groups appear as empty, thus downloading only information about the group objects themselves and not their members, providing a significant performance boost. Please note that id aduser@ad_domain would still return all the correct groups.

- Pros: getgrnam/getgrgid calls are significantly faster.
- Cons: getgrnam/getgrgid calls only return the group information, not the members

**WARNING! If the compat tree is used, DO NOT SET ignore_group_members = true because it breaks the compatibility logic.

0 comments on commit 78de7b8

Please sign in to comment.