#2795 [RFE] Make initgroups request during login more configurable
Closed: cloned-to-github 7 months ago by pbrezina. Opened 5 years ago by sbose.

Currently for every new login the full group-membership of the user is read from the server to make sure it is up-to-date. In environments with many domains and servers (AD forest, IPA with trust to AD) this might cause quite a number of lookups on different servers and as a results leads to a long login process.

The only option to control this behavior a bit is pam_id_timeout. But this timeout is a per-user timeout even is all data is in cache the login of a different user will trigger a group lookup on the server again.

Since we already track the lifetime of the group-membership data with SYSDB_INITGR_EXPIRE it might help to improve performance in environments where the group-memberships do not change that often to allow the PAM responder to skip the group lookup if the cached data is still valid. For better tuning it would make sense to add a new option to make the lifetime of the group-membership data independent of the lifetime of the user entry itself.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.3

Fields changed

rhbz: => todo

Fields changed

owner: somebody => preichl

This ticket still needs work and we need to release 1.13.3 soon.

milestone: SSSD 1.13.3 => SSSD 1.13.4

This is a performance enhancement which is the scope of 1.14. But because this ticket has lower priority than the cache split, I'm only moving it to the Beta milestone.

milestone: SSSD 1.13.4 => SSSD 1.14 beta

Fields changed

owner: preichl => pcech

Too late for 1.14 beta, but might be a good idea for a subsequent 1.14 release.

milestone: SSSD 1.14 beta => SSSD 1.14 backlog

Since the 1.14 branch is transitioning into maintenance mode and new functionality is being developed in master which will become 1.15 eventually, I'm mass-moving tickets from the 1.14 backlog milestone to the "Future releases" milestone.

milestone: SSSD 1.14 backlog => SSSD Future releases (no date set yet)

Metadata Update from @sbose:
- Issue assigned to pcech
- Issue set to the milestone: SSSD Future releases (no date set yet)

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3836

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

7 months ago

Login to comment on this ticket.