Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 916997
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: A customer has a large user group containing 80.000+ users. When getgrgid is run during login, it takes too long to download the full list of group members from the Active directory LDAP server. This results in nss timing out after 58 seconds. Login succeeds, but it takes upto 5 minutes to complete. This is also the case when listing a directory containing files whose group owner is the large user group, and when running `getent group <large_user_group>`. Version-Release number of selected component (if applicable): sssd-1.9.2-82 How reproducible: Always Steps to Reproduce: 1. Create a large user group containing 80000 users. 2. getent group <large_user_group> 3. Actual results: the getgrnam / getgrgid calls take 58 seconds to timeout. Expected results: the getgrnam / getgrgid calls should return reasonably quickly. Additional info: See following comments.
The short term fix would be to provide a new configuration option to limit the number of group members processed (or turn the range retrieval option off completely).
Long term handling of large requests is now tracked in ticket #1829
blockedby: => blocking: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => milestone: NEEDS_TRIAGE => SSSD 1.9.5 selected: => testsupdated: => 0
Fields changed
milestone: SSSD 1.9.5 => SSSD 1.10.0 review: => 0
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=916997 916997] => [https://bugzilla.redhat.com/show_bug.cgi?id=916997 916997] [https://bugzilla.redhat.com/show_bug.cgi?id=928807 928807]
owner: somebody => lslebodn
patch: 0 => 1 status: new => assigned
Moving to 1.10 beta as this enhancement requires a string change.
milestone: SSSD 1.10.0 => SSSD 1.10 beta
resolution: => fixed status: assigned => closed
changelog: => A new configuration option ldap_disable_range_retrieval was added that lets the administrator disable the range retrievals and hence avoid downloading very large groups.
Metadata Update from @jhrozek: - Issue assigned to lslebodn - Issue set to the milestone: SSSD 1.10 beta
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2865
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.