#1823 getgrnam / getgrgid for large user groups is too slow due to range retrieval functionality
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 916997

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
A customer has a large user group containing 80.000+ users. When getgrgid is run
during login, it takes too long to download the full list of group members from
the Active directory LDAP server. This results in nss timing out after 58
seconds. Login succeeds, but it takes upto 5 minutes to complete.
This is also the case when listing a directory containing files whose group
owner is the large user group, and when running `getent group
<large_user_group>`.

Version-Release number of selected component (if applicable):
sssd-1.9.2-82

How reproducible:
Always

Steps to Reproduce:
1. Create a large user group containing 80000 users.
2. getent group <large_user_group>
3.

Actual results:
the getgrnam / getgrgid calls take 58 seconds to timeout.

Expected results:
the getgrnam / getgrgid calls should return reasonably quickly.

Additional info:
See following comments.

The short term fix would be to provide a new configuration option to limit the number of group members processed (or turn the range retrieval option off completely).

Long term handling of large requests is now tracked in ticket #1829

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.5
selected: =>
testsupdated: => 0

Fields changed

milestone: SSSD 1.9.5 => SSSD 1.10.0
review: => 0

Fields changed

owner: somebody => lslebodn

Fields changed

patch: 0 => 1
status: new => assigned

Moving to 1.10 beta as this enhancement requires a string change.

milestone: SSSD 1.10.0 => SSSD 1.10 beta

resolution: => fixed
status: assigned => closed

Fields changed

changelog: => A new configuration option ldap_disable_range_retrieval was added that lets the administrator disable the range retrievals and hence avoid downloading very large groups.

Metadata Update from @jhrozek:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.

Metadata