Chapter 8. Tuning SSSD in IdM servers and clients for large IdM-AD trust deployments
Retrieving user and group information is a very data-intensive operation for the System Security Services Daemon (SSSD), especially in an IdM deployment with a trust to a large Active Directory (AD) domain. The best way to improve this performance is by adjusting which information SSSD retrieves from identity providers and for how long.
8.1. Tuning SSSD in IdM servers for large IdM-AD trust deployments
This procedure applies tuning options to the configuration of the SSSD service in an IdM server to improve its response time when retrieving information from a large AD environment.
Prerequisites
-
You need
root
permissions to edit the/etc/sssd/sssd.conf
configuration file.
Procedure
-
Open the
/etc/sssd/sssd.conf
configuration file in a text editor. Add the following options to the
[domain]
section for your Active Directory domain. If you do not already have a domain section for your AD domain, create one.[domain/ad.example.com] ignore_group_members = true subdomain_inherit = ignore_group_members ...
-
Save and close the
/etc/sssd/sssd.conf
file on the server. Restart the SSSD service to load the configuration changes.
[root@client ~]# systemctl restart sssd
8.2. Tuning SSSD in IdM clients for large IdM-AD trust deployments
This procedure applies tuning options to SSSD service configuration in an IdM client to improve its response time when retrieving information from a large AD environment.
Prerequisites
-
You need
root
permissions to edit the/etc/sssd/sssd.conf
configuration file.
Procedure
Determine the number of seconds a single un-cached login takes.
Clear the SSSD cache on the IdM client
client.example.com
.[root@client ~]# sss_cache -E
Measure how long it takes to log in as an AD user with the
time
command. In this example, from the IdM clientclient.example.com
, log into the same host as the userad-user
from thead.example.com
AD domain.[root@client ~]# time ssh ad-user@ad.example.com@client.example.com
Type in the password as soon as possible.
Password: Last login: Sat Jan 23 06:29:54 2021 from 10.0.2.15 [ad-user@ad.example.com@client ~]$
Log out as soon as possible to display elapsed time. In this example, a single un-cached login takes about
9
seconds.[ad-user@ad.example.com@client /]$ exit logout Connection to client.example.com closed. real 0m8.755s user 0m0.017s sys 0m0.013s
-
Open the
/etc/sssd/sssd.conf
configuration file in a text editor. Add the following options to the
[domain]
section for your Active Directory domain. Set thepam_id_timeout
andkrb5_auth_timeout
options to the number of seconds an un-cached login takes. If you do not already have a domain section for your AD domain, create one.[domain/ad.example.com] pam_id_timeout = 9 krb5_auth_timeout = 9 ldap_deref_threshold = 0 ...
-
Save and close the
/etc/sssd/sssd.conf
file on the server. Restart the SSSD service to load the configuration changes.
[root@client ~]# systemctl restart sssd
8.3. Mounting the SSSD cache in tmpfs
The System Security Services Daemon (SSSD) constantly writes LDAP objects to its cache. These internal SSSD transactions write data to disk, which is much slower than reading and writing from Random-Access Memory (RAM).
To improve this performance, mount the SSSD cache in RAM.
Considerations
- Cached information does not persist after a reboot if the SSSD cache is in RAM.
- It is safe to perform this change on IdM servers, as the SSSD instance on an IdM server cannot lose connectivity with the Directory Server on the same host.
- If you perform this adjustment on an IdM client and it loses connectivity to IdM servers, users will not be able to authenticate after a reboot until you reestablish connectivity.
Prerequisites
-
You need
root
permissions to edit the/etc/fstab
configuration file.
Procedure
Create a
tmpfs
temporary filesystem by adding the following entry to/etc/fstab
as a single line:tmpfs /var/lib/sss/db/ tmpfs size=300M,mode=0700,rootcontext=system_u:object_r:sssd_var_lib_t:s0 0 0
This example creates a 300MB cache. Tune the
size
parameter according to your IdM and AD directory size, estimating 100 MBs per 10,000 LDAP entries.Mount the new SSSD cache directory.
[root@host ~]# mount /var/lib/sss/db/
Restart SSSD to reflect this configuration change.
[root@host ~]# systemctl restart sssd
8.4. Options for tuning SSSD in IdM servers and clients for large IdM-AD trust deployments
The following options in the /etc/sssd/sssd.conf
configuration file.
8.4.1. Tuning options for IdM Servers
- ignore_group_members
Knowing which groups a user belongs to, as opposed to all the users that belong to a group, is important when authenticating and authorizing a user. When
ignore_group_members
is set totrue
, SSSD only retrieves information about the group objects themselves and not their members, providing a significant performance boost.NoteThe
id user@ad-domain.com
command still returns the correct list of groups, butgetent group ad-group@ad-domain.com
returns an empty list.Default value
false
Recommended value
true
- subdomain_inherit
With the
subdomain_inherit
option, you can apply theignore_group_members
setting to the trusted AD domains’ configuration. Settings listed in thesubdomain_inherit
options apply to both the main (IdM) domain as well as the AD subdomain.Default value
none
Recommended value
subdomain_inherit = ignore_group_members
8.4.2. Tuning options for IdM Clients
- pam_id_timeout
This parameter controls how long results from a PAM session will be cached, in order to avoid excessive round-trips to the identity provider during an identity lookup. The default value of
5
seconds might not be enough in environments where complex group memberships are populated on the IdM Server and IdM client side. Red Hat recommends settingpam_id_timeout
to the number of seconds a single un-cached login takes.Default value
5
Recommended value
the number of seconds a single un-cached login takes
- krb5_auth_timeout
Increasing
krb5_auth_timeout
allows more time to process complex group information in environments where users are members of a large number of groups. Red Hat recommends setting this value to the number of seconds a single un-cached login takes.Default value
6
Recommended value
the number of seconds a single un-cached login takes
- ldap_deref_threshold
A dereference lookup is a means of fetching all group members in a single LDAP call. The
ldap_deref_threshold
value specifies the number of group members that must be missing from the internal cache in order to trigger a dereference lookup. If less members are missing, they are looked up individually. Dereference lookups may take a long time in large environments and decrease performance. To disable dereference lookups, set this option to0
.Default value
10
Recommended value
0