#799 RFC2307bis 'id' lookups are prohibitively slow

Created 6 years ago by sgallagh
Modified 3 months ago

For an LDAP setup using RFC2307bis with many users and nested groups, performing

id username

can take as long as several minutes to complete.

Jakub did an initial investigation into the code and discovered that we aren't using the {{{sysdb_add_fake_user()}}} routine in the RFC2307bis nested group processing, which means that we're resorting to looking up all of the users in those groups. This is very slow.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.6.0
priority: critical => blocker

Fields changed

patch: => 1
status: new => assigned

Fixed in master:





resolution: => fixed
status: assigned => closed

The problem still exists in 1.6.3

resolution: fixed =>
rhbz: =>
status: closed => reopened

Fields changed

milestone: SSSD 1.6.0 => NEEDS_TRIAGE

This request has been coming from several different users running in different environments. I would propose that we gather as much info from the users before we decide on where to optimize.

I think that a systemtap script that generates a callgraph with statistics about how much time do we spend in different functions and perhaps how much time we spend waiting on I/O (both disk and network) would help us here. Then we would at least know whether we should spend time parallelizing the lookups or perhaps profiling the memberof plugin some more..

Replying to [comment:5 mmoeller]:

The problem still exists in 1.6.3

Marcus, can you measure how slow initgroups are for you?

I would like to ask you to:
1. clear the caches
2. run "id -G $username"

The -G parameter is important - that would make sure only initgroups is performed and "id" would then output the GID numbers of the groups user is a member of. Without the -G parameter, "id" then calls getgrgid() on all the group GIDs which may be very slow (and may not be fixable).

Thank you!

Also when running the test, would you mind telling us how big the group structure is? In other words, how many groups does the user belong to?

Fields changed

blockedby: =>
blocking: =>
milestone: NEEDS_TRIAGE => SSSD Deferred

Fields changed

priority: blocker => minor

The issue is already fixed in 1.6. The bug was reopened by mistake.

milestone: SSSD Deferred => SSSD 1.6.0
resolution: => fixed
status: reopened => closed

3 months ago

Metadata Update from @sgallagh:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.6.0

Login to comment on this ticket.


LDAP Provider