Chapter 8. Tuning SSSD in IdM servers and clients for large IdM-AD trust deployments

Retrieving user and group information is a very data-intensive operation for the System Security Services Daemon (SSSD), especially in an IdM deployment with a trust to a large Active Directory (AD) domain. The best way to improve this performance is by adjusting which information SSSD retrieves from identity providers and for how long.

8.1. Tuning SSSD in IdM servers for large IdM-AD trust deployments

This procedure applies tuning options to the configuration of the SSSD service in an IdM server to improve its response time when retrieving information from a large AD environment.

Prerequisites

  • You need root permissions to edit the /etc/sssd/sssd.conf configuration file.

Procedure

  1. Open the /etc/sssd/sssd.conf configuration file in a text editor.
  2. Add the following options to the [domain] section for your Active Directory domain. If you do not already have a domain section for your AD domain, create one.

    [domain/ad.example.com]
    ignore_group_members = true
    subdomain_inherit = ignore_group_members
    ...
  3. Save and close the /etc/sssd/sssd.conf file on the server.
  4. Restart the SSSD service to load the configuration changes.

    [root@client ~]# systemctl restart sssd

8.2. Tuning SSSD in IdM clients for large IdM-AD trust deployments

This procedure applies tuning options to SSSD service configuration in an IdM client to improve its response time when retrieving information from a large AD environment.

Prerequisites

  • You need root permissions to edit the /etc/sssd/sssd.conf configuration file.

Procedure

  1. Determine the number of seconds a single un-cached login takes.

    1. Clear the SSSD cache on the IdM client client.example.com.

      [root@client ~]# sss_cache -E
    2. Measure how long it takes to log in as an AD user with the time command. In this example, from the IdM client client.example.com, log into the same host as the user ad-user from the ad.example.com AD domain.

      [root@client ~]# time ssh ad-user@ad.example.com@client.example.com
    3. Type in the password as soon as possible.

      Password:
      Last login: Sat Jan 23 06:29:54 2021 from 10.0.2.15
      [ad-user@ad.example.com@client ~]$
    4. Log out as soon as possible to display elapsed time. In this example, a single un-cached login takes about 9 seconds.

      [ad-user@ad.example.com@client /]$ exit
      logout
      Connection to client.example.com closed.
      
      real 0m8.755s
      user    0m0.017s
      sys     0m0.013s
  2. Open the /etc/sssd/sssd.conf configuration file in a text editor.
  3. Add the following options to the [domain] section for your Active Directory domain. Set the pam_id_timeout and krb5_auth_timeout options to the number of seconds an un-cached login takes. If you do not already have a domain section for your AD domain, create one.

    [domain/ad.example.com]
    pam_id_timeout = 9
    krb5_auth_timeout = 9
    ldap_deref_threshold = 0
    ...
  4. Save and close the /etc/sssd/sssd.conf file on the server.
  5. Restart the SSSD service to load the configuration changes.

    [root@client ~]# systemctl restart sssd

8.3. Mounting the SSSD cache in tmpfs

The System Security Services Daemon (SSSD) constantly writes LDAP objects to its cache. These internal SSSD transactions write data to disk, which is much slower than reading and writing from Random-Access Memory (RAM).

To improve this performance, mount the SSSD cache in RAM.

Considerations

  • Cached information does not persist after a reboot if the SSSD cache is in RAM.
  • It is safe to perform this change on IdM servers, as the SSSD instance on an IdM server cannot lose connectivity with the Directory Server on the same host.
  • If you perform this adjustment on an IdM client and it loses connectivity to IdM servers, users will not be able to authenticate after a reboot until you reestablish connectivity.

Prerequisites

  • You need root permissions to edit the /etc/fstab configuration file.

Procedure

  1. Create a tmpfs temporary filesystem by adding the following entry to /etc/fstab as a single line:

    tmpfs /var/lib/sss/db/ tmpfs size=300M,mode=0700,rootcontext=system_u:object_r:sssd_var_lib_t:s0 0 0

    This example creates a 300MB cache. Tune the size parameter according to your IdM and AD directory size, estimating 100 MBs per 10,000 LDAP entries.

  2. Mount the new SSSD cache directory.

    [root@host ~]# mount /var/lib/sss/db/
  3. Restart SSSD to reflect this configuration change.

    [root@host ~]# systemctl restart sssd

8.4. Options for tuning SSSD in IdM servers and clients for large IdM-AD trust deployments

The following options in the /etc/sssd/sssd.conf configuration file.

8.4.1. Tuning options for IdM Servers

ignore_group_members

Knowing which groups a user belongs to, as opposed to all the users that belong to a group, is important when authenticating and authorizing a user. When ignore_group_members is set to true, SSSD only retrieves information about the group objects themselves and not their members, providing a significant performance boost.

Note

The id user@ad-domain.com command still returns the correct list of groups, but getent group ad-group@ad-domain.com returns an empty list.

Default value

false

Recommended value

true

subdomain_inherit

With the subdomain_inherit option, you can apply the ignore_group_members setting to the trusted AD domains’ configuration. Settings listed in the subdomain_inherit options apply to both the main (IdM) domain as well as the AD subdomain.

Default value

none

Recommended value

subdomain_inherit = ignore_group_members

8.4.2. Tuning options for IdM Clients

pam_id_timeout

This parameter controls how long results from a PAM session will be cached, in order to avoid excessive round-trips to the identity provider during an identity lookup. The default value of 5 seconds might not be enough in environments where complex group memberships are populated on the IdM Server and IdM client side. Red Hat recommends setting pam_id_timeout to the number of seconds a single un-cached login takes.

Default value

5

Recommended value

the number of seconds a single un-cached login takes

krb5_auth_timeout

Increasing krb5_auth_timeout allows more time to process complex group information in environments where users are members of a large number of groups. Red Hat recommends setting this value to the number of seconds a single un-cached login takes.

Default value

6

Recommended value

the number of seconds a single un-cached login takes

ldap_deref_threshold

A dereference lookup is a means of fetching all group members in a single LDAP call. The ldap_deref_threshold value specifies the number of group members that must be missing from the internal cache in order to trigger a dereference lookup. If less members are missing, they are looked up individually. Dereference lookups may take a long time in large environments and decrease performance. To disable dereference lookups, set this option to 0.

Default value

10

Recommended value

0

8.5. Additional resources