As per https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/tuning_performance_in_identity_management/assembly_tuning-sssd-in-idm-servers-and-clients-for-large-idm-ad-trust-deployments_tuning-performance-in-idm#tuning_options_for_idm_clients
The setting ldap_deref_threshold in /etc/sssd/sssd.conf file should be set to 0 on all clients. On basic testing an initial id mobrien call after clearing the cache went from ~30s to ~10s and following id calls for other users were almost instant.
id mobrien
@arrfab
Can this be added as a drop in on /etc/sssd/conf.d/<foo.conf> or does this need changes in /etc/sssd/sssd.conf ?
when I found that setting and that it was speeding up things at the centos side, I asked mark to test it too using ansible lineinfile to have it in the [domain\fedoraproject.org] section is probably the best way (so main /etc/sssd/sssd.conf, as stated in the official doc)
lineinfile
Metadata Update from @mohanboddu: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
Metadata Update from @mohanboddu: - Issue tagged with: authentication
@smooge made patch to fix the issue, this fix will supersede that patch and any conflict due to that should be resolved.
FWIW, here is the small change for centos nodes : https://github.com/CentOS/ansible-role-ipa-client/commit/5495742d1a8e4ed63da6e56ab9ced15fbbb12da6
These changes still need to be made in prod. I will put it through
@mobrien I think this is done now and we can close this. Can you confirm?
This was done on ipsilon and people servers, other servers appear to be working ok so closing this out
Metadata Update from @mobrien: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.