Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-150439

Poor performance of `BE_REQ_INITGROUPS` handling by 'sssd_be' (LDAP RFC2307, no nested groups) [rhel-9]

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-9.9
    • rhel-9.8
    • sssd
    • None
    • Important
    • rhel-idm
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      This is a clone of issue RHEL-142964 to use for version rhel-9.8

      Original description:
      When user is a member of many groups (~10k), handling of `BE_REQ_INITGROUPS` by generic LDAP backend take extremely long time (can be several mins) that can exceed `SBUS_MESSAGE_TIMEOUT`, making 'sssd_nss' to abort client's request.

      Logs inspections suggest that most of the time is spent in:
      (1) `sdap_add_incomplete_groups()` takes ~35..45%
      (2) `sysdb_update_members()` takes remaining ~55..65%

      Step (2) adds user itself to all the groups stored at step (1)

      The idea is that user can be added to groups already at step (1), thus eliminating the need for step (2) altogether.

              sssd-maint SSSD Maintainers
              watson-automation Watson Automation
              Alexey Tikhonov Alexey Tikhonov
              SSSD QE SSSD QE
              Louise McGarry Louise McGarry
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: