Bug 1925621
| Summary: | document impact of indices and of scope on performance of LDAP queries | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Antonio Romito <aromito> |
| Component: | sssd | Assignee: | Pavel Březina <pbrezina> |
| Status: | CLOSED ERRATA | QA Contact: | Steeve Goveas <sgoveas> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.4 | CC: | atikhono, daniele, dlavu, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sbose, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | sssd-2.5.0-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 19:47:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Antonio Romito
2021-02-05 17:28:22 UTC
Hi, imo it is highly dependent on the server-side implementation if scope=one has a better performance than scope=sub. Most important for the server-side performance are proper indices and if those are available there shouldn't a difference between the scopes assuming that the searched objects are all in the same container. With respect to the documentation we can mention that indices should be used to improve performance, emphasizing the scope might be misleading. In general SSSD already allows to set the scope with the search base, e.g. for sudo rules see ldap_sudo_search_base in man sssd-ldap for details. So I see no reason to change the default scope. HTH bye, Sumit Upstream ticket: https://github.com/SSSD/sssd/issues/5603 Upstream PR: https://github.com/SSSD/sssd/pull/5610 Pushed PR: https://github.com/SSSD/sssd/pull/5610 * `master` * b3247eeb562bf92ea7f0938eda6d0203e7cb63c4 - man: document how to tune sudo performance # man sssd-sudo | awk /'TUNING THE PERFORMANCE'/,/'SEE ALSO'/
TUNING THE PERFORMANCE
SSSD uses different kinds of mechanisms with more or less complex LDAP filters to keep the cached sudo rules up to date. The default configuration is set to values that should satisfy most of our
users, but the following paragraps contains few tips on how to fine tune the configuration to your requirements.
1. Index LDAP attributes. Make sure that following LDAP attributes are indexed: objectClass, cn, entryUSN or modifyTimestamp.
2. Set ldap_sudo_search_base. Set the search base to the container that holds the sudo rules to limit the scope of the lookup.
3. Set full and smart refresh interval. If your sudo rules do not change often and you do not require quick update of cached rules on your clients, you may consider increasing the
ldap_sudo_full_refresh_interval and ldap_sudo_smart_refresh_interval. You may also consider disabling the smart refresh by setting ldap_sudo_smart_refresh_interval = 0.
4. If you have large number of clients, you may consider increasing the value of ldap_sudo_random_offset to distribute the load on the server better.
SEE ALSO
[root@auto-hv-01-guest01 ~]# rpm -q sssd
sssd-2.5.0-1.el8.x86_64
[root@vm-idm-023 ~]# man sssd-sudo | awk /'TUNING THE PERFORMANCE'/,/'SEE ALSO'/
TUNING THE PERFORMANCE
SSSD uses different kinds of mechanisms with more or less complex LDAP filters to keep the cached sudo rules up to date. The default configuration is set to values
that should satisfy most of our users, but the following paragraps contains few tips on how to fine tune the configuration to your requirements.
1. Index LDAP attributes. Make sure that following LDAP attributes are indexed: objectClass, cn, entryUSN or modifyTimestamp.
2. Set ldap_sudo_search_base. Set the search base to the container that holds the sudo rules to limit the scope of the lookup.
3. Set full and smart refresh interval. If your sudo rules do not change often and you do not require quick update of cached rules on your clients, you may
consider increasing the ldap_sudo_full_refresh_interval and ldap_sudo_smart_refresh_interval. You may also consider disabling the smart refresh by setting
ldap_sudo_smart_refresh_interval = 0.
4. If you have large number of clients, you may consider increasing the value of ldap_sudo_random_offset to distribute the load on the server better.
SEE ALSO
[root@vm-idm-023 ~]# rpm -q sssd
sssd-2.5.0-1.el8.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4435 |