On Mon, Aug 26, 2013 at 04:02:59PM -0400, Simo Sorce wrote: > On Mon, 2013-08-26 at 21:41 +0200, Jakub Hrozek wrote: > > On Mon, Aug 26, 2013 at 03:35:09PM -0400, Simo Sorce wrote: > > > On Mon, 2013-08-26 at 21:17 +0200, Jakub Hrozek wrote: > > > > On Mon, Aug 26, 2013 at 06:18:05PM +0200, Sumit Bose wrote: > > > > > On Mon, Aug 26, 2013 at 05:20:21PM +0200, Jakub Hrozek wrote: > > > > > > On Fri, Aug 23, 2013 at 03:44:09PM +0200, Sumit Bose wrote: > > > > > > > Hi, > > > > > > > > > > > > > > currently in ipa-server-mode only the AD groups memberships are > > > > > > > available. This patch adds the IPA group memberships to trusted AD > > > > > > > users. > > > > > > > > > > > > > > This patch is missing some unit tests for some of the helper > > > > > > > functions. > > > > > > > I will send them later, but I didn't want to delay the next > > > > > > > release. > > > > > > > > > > > > > > bye, > > > > > > > Sumit > > > > > > > > > > > > I haven't done any testing yet but do we need the timeout? Since the > > > > > > initgroups is a rare operation and on logins we generally want to > > > > > > have > > > > > > the correct memberships, can we just rely on responder caching? > > > > > > > > > > I was thinking of situations where multiple logins happen in a short > > > > > time. Additionally I think even if group memberships of a user might > > > > > change often the mapping of AD to IPA group memberships via the > > > > > external > > > > > groups will only change rarely. > > > > > > > > > > Maybe we can a cache time option to make it more flexible? > > > > > > > > > > bye, > > > > > Sumit > > > > > > > > I was thinking about this more on my way home and I think you're > > > > right we need to optimize the ipa_server_mode. This could cause the "8AM > > > > login rush" to be a real bottleneck. > > > > > > > > But I think we can exploit the fact that we know the server well during > > > > the ipa_server_mode. What about this approach? > > > > 1. on startup we download all external groups > > > > > > it could be a huge set, and would cause a huge load if someone runs a > > > puppet script to reconfigure and restart a few 1000 machines with sssd. > > > > > > > A huge set of external groups? > > Why not ?
No technical reason. I just don't see that as a common use-case that's all. > > > > > 2. store the largest lastUSN to the server mode context > > > > > > we already have this afaik > > > > No we don't. This is new code just for the server mode. > > Ahh, that explains some things, sorry. No problem, lot of patches are flailing around, I know. > > > > > > > > 3. on subsequent lookups, only download and store groups with higher > > > > lastUSN > > > > > > if you change server you are back to square zero though > > > > > > > Which is never during in the server mode. (except for slapd outages etc) > > > > > > 4. perform the lookup always. It's on the server after all so > > > > network LDAP search is quite cheap. > > > > > > not sure I understand what this means ? > > > > The current patch re-downloads external groups every 600 seconds and if > > 600 seconds hasn't passed, uses cache. I'm proposing we download > > (&(objectClass=externalGroup)(lastUSN>=stored_last_usn)) on every > > request because in the server mode the latency is not an issue. > > 600 is a lot :( yes, that's why I was trying to come up with something more optimized.. > > > > > > > > > > The point of checking initgroups at login is to assure the right > > > memberships are in place, both for security reasons and to allow a user > > > to logoff and login back again and make sure eh gets new group > > > memberships if he has been granted any new ones. > > > > > > Loggin off then back on is the only way to gain system-wide the new > > > memberships so that's what an administrator will tell a user to do if > > > the user complains he can't access something. > > > > > > This means that caching can't last long as the side effects are severe. > > > So anything more than a few seconds would probably be bad. A few seconds > > > make total sense for load issues when someone is abusing pam atuh (for > > > example someon eusing basic auth wired to pam auth for a a web server > > > that will receive potentially many tens of authentications for the same > > > user within a fraction of a second as each image and file is loaded in a > > > new connection). > > > > > > In this case you really want to completely cache the whole operation and > > > not touch the network for any reason, otherwise latency will make things > > > unbearable. But that's the extent to which you want to go, a few seconds > > > for auth bursts, nothing more. > > > > > > Simo. > > > > The latency in the server mode is really small, we should always be > > talking to the local server. > > I think we shouold defer this until the synrepl control is available in > 389ds, then we can simply have a persistent search open using syncrepl > and we'll get changes as needed and no more that that (including > deletions). > > Simo. Yes, that sounds like a very good solution, I just think we also need to have a way to handle the external groups in time for 1.11/3.3. If we can leverage a 389DS control later, even better. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
