On Tue, Jan 26, 2016 at 3:03 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Tue, Jan 26, 2016 at 02:19:42PM -0500, James Ralston wrote: > >> Here's the problem: unless the user/group objects already happen to be >> in sssd's cache, enumerating the passwd/group entries in this way is >> very slow: 3-5 entries per second, at best. For a larger AD domain, >> the program can take 10-15 minutes to perform this iterative >> enumeration, which is much longer than we'd prefer. >> >> Can anyone think of a way to make this iterative enumeration go >> faster? > > Did you try mounting the cache to tmpfs to get rid of the cache writes? > > [...] That's… a very clever idea. From testing using tmpfs to back /var/lib/sss/db, the speed of lookups increases by about an order of magnitude: about 44 lookups per second, instead of 4-5 lookups per second. We have around 5,000 AD objects, so the ~100 second wait would be tolerable. A related question: is there any possibility of adding an option to the ad backend to disable the filtering of distribution groups (group type flag 0x8)? It's a long story, but what we are trying to do here is to take regular snapshots of our AD users and groups, and sssd's getpwnam()/getgrnam() mapping is the perfect way to do it. I think I understand why distribution groups are filtered by default (they're not security-enabled in AD, and can't be used in Windows ACLs), but in this one particular case, we really do want to be able to enumerate every single group. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org