Ticket #1355 (closed defect: fixed)

Opened 5 years ago

Last modified 4 years ago

ldap_schema = ad performance issue

Reported by: myllynen Owned by: sgallagh
Priority: critical Milestone: SSSD 1.9.0
Component: SSSD Version: 1.9.0 beta 1
Keywords: Cc:
Blocked By: Blocking:
Sensitive: Tests Updated: no
Coverity Bug: Patch Submitted: yes
Red Hat Bugzilla: 0 Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:
Temp mark:


On an AD domain both winbind/idmap_rid and winbind/idmap_autorid provide an expected reply for "id testuser" in less than a second. However, for sssd-1.9 nightly git snapshot with ldap_schema = ad in use the same operation takes over six minutes.

Logs with confidential information sent in private e-mail.

Change History

comment:1 Changed 5 years ago by dpal

  • Red Hat Bugzilla set to 0
  • Milestone changed from NEEDS_TRIAGE to SSSD 1.9.0

comment:2 Changed 4 years ago by dpal

  • Milestone changed from SSSD 1.9.0 to SSSD 1.9.0 RC1

comment:3 Changed 4 years ago by sgallagh

  • Owner changed from somebody to sgallagh
  • Status changed from new to assigned
  • proposed_priority set to Blocker

comment:4 Changed 4 years ago by dpal

  • proposed_priority changed from Blocker to Undefined

comment:5 Changed 4 years ago by sgallagh

We suspect that the issue here is that the customer in question is running AD in its default mode, which does not provide LDAP indexes for the member and memberOf attributes. We have asked the customer to enable these indexes. We're awaiting the results, but we expect this to provide several orders of magnitude of improved performance.

In that case, we'll change this to a documentation bug to recommend enabling these indexes.

I've done limited testing of this on my own AD setup (which is much smaller than this customer's setup) and found a sizeable performance boost by indexing.

comment:6 Changed 4 years ago by stefw

I don't think this can be relegated to a documentation bug. A goal is to make RHEL work out of the box with Active Directory.

It would be one thing if the sssd fails with some esoteric AD configuration. But if it falls over with a default AD setup, and requires changes on the AD side to fix it, then that can't really be considered 'work out of the box'.

Is there another way to fix this issue?

comment:7 Changed 4 years ago by sgallagh

Yes, there is another way to fix this issue, but it's very complicated. AD provides much faster responses for requests coming in via MSRPC communication. It appears that the internal mechanism used to answer such requests are indexed (and very fast) when coming through that channel, but a default AD install uses no indexing in the LDAP implementation.

So yes, we can eventually support communication via MSRPC, but this is a major undertaking.

comment:8 Changed 4 years ago by dpal

  • proposed_priority changed from Undefined to Core
  • Milestone changed from SSSD 1.9.0 beta 7 to Temp milestone

The alternative to consider is the global catalog. The use of the MSRPC or global catalog falls into the feature parity effort with Winbind so it is a core requirement for the next release.

comment:9 Changed 4 years ago by dpal

  • Milestone changed from Temp milestone to SSSD 1.10 beta

Moving all the features planned for 1.10 release into 1.10 beta.

comment:10 Changed 4 years ago by dpal

  • Priority changed from blocker to critical

comment:11 Changed 4 years ago by myllynen

It seems clear that there's evidence (tests run at the customer, 1) that indexing doesn't change much on AD, that's not a solution here. And there is also evidence that LDAP_MATCHING_RULE_IN_CHAIN (2) doesn't scale even in environments with thousands of users and groups (3) and we're talking about magnitudes larger environment here.

However, Token-Groups (4) would seem to be potential candidate to solve the issue, few Windows developers have blogged about good results with it in the past (3,5) and initial testing at the customer shows that it provides the expected group membership results in a fraction of a second.

1) http://us.generation-nt.com/answer/scared-index-attributes-help-37304842.html
2) http://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx
3) http://www.funkycoding.com/?p=345
4) http://msdn.microsoft.com/en-us/library/windows/desktop/ms680275%28v=vs.85%29.aspx
5) http://explodingcoder.com/blog/content/how-query-active-directory-security-group-membership

comment:12 Changed 4 years ago by sgallagh

  • Patch Submitted set

Patch submitted that allows the use of tokenGroups for lookups when SSSD is configured for ID-mapping. We cannot currently support this option for non-id-mapped configurations because the tokenGroups are stored as SIDs, not DNs.

comment:13 Changed 4 years ago by jhrozek

  • Milestone changed from SSSD 1.10 beta to SSSD 1.9.0

comment:14 Changed 4 years ago by jhrozek

  • Status changed from assigned to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.