Description of problem:
Users who are a member of one or more groups containing large numbers of members end up with unacceptable wait times (or timeouts) performing initgroups calls.
Since initgroups calls are always performed on login, this is causing unacceptably long login waits.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create 10,000 users in LDAP.
2. Create a group that contains all of these users
3. Attempt to log in as one of these users.
There is a very long wait time to log in (measured in seconds, if not tens of seconds depending on system I/O performance)
Login time should be reasonable ( < 5 seconds)
This is happening because we tried to be too clever with the initgroups calls. When a user logs in, we attempt to completely refresh all entries associated with all groups the user is a member of. This worked fine in our small test environments, but we didn't adequately test this for scalability. Our customers are now doing this for us and are not pleased with the results.
Testers: you can compile and run the following C program and run it with the 'time' command
int main(int argc, char **argv)
Compile and run:
gcc -o initgroups.test getgroups.c
time ./initgroups.test <username>
Prior to this patch, time would have reported 3-5s for users in groups of ~300-500 users. After this patch it will average < 1s.
Please test this on users of varying sized groups and numbers of groups.
1. Created a group bosgroup with 500 users, Group1 with 5000 users and mumgroup with 10000 users.
2. bos 500 is a member of Group1 and mumgroup.
3. pnq5000 is a member of mumgroup.
4. mum9999 is a member on mumgroup.
[root@rhel6snap11 ~]# time ./initgroups.test bos500
[root@rhel6snap11 ~]# time ./initgroups.test pnq5000
[root@rhel6snap11 ~]# time ./initgroups.test mum9999
Where can I find the patch used to fix this issue?
(In reply to comment #4)
> Where can I find the patch used to fix this issue?
However, as is being discussed right now at https://fedorahosted.org/pipermail/sssd-devel/2010-September/004540.html we've discovered that this patch has introduced some issues with group resolution under certain circumstances.
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.