8.5. Tuning SSSD in IdM clients for large IdM-AD trust deployments
This procedure applies tuning options to SSSD service configuration in an IdM client to improve its response time when retrieving information from a large AD environment.
Conditions préalables
-
Vous devez disposer des autorisations
root
pour modifier le fichier de configuration/etc/sssd/sssd.conf
.
Procédure
Determine the number of seconds a single un-cached login takes.
Clear the SSSD cache on the IdM client
client.example.com
.[root@client ~]# sss_cache -E
Measure how long it takes to log in as an AD user with the
time
command. In this example, from the IdM clientclient.example.com
, log into the same host as the userad-user
from thead.example.com
AD domain.[root@client ~]# time ssh ad-user@ad.example.com@client.example.com
Type in the password as soon as possible.
Password: Last login: Sat Jan 23 06:29:54 2021 from 10.0.2.15 [ad-user@ad.example.com@client ~]$
Log out as soon as possible to display elapsed time. In this example, a single un-cached login takes about
9
seconds.[ad-user@ad.example.com@client /]$ exit logout Connection to client.example.com closed. real 0m8.755s user 0m0.017s sys 0m0.013s
-
Ouvrez le fichier de configuration
/etc/sssd/sssd.conf
dans un éditeur de texte. Add the following options to the
[domain]
section for your Active Directory domain. Set thepam_id_timeout
andkrb5_auth_timeout
options to the number of seconds an un-cached login takes. If you do not already have a domain section for your AD domain, create one.[domain/example.com/ad.example.com] krb5_auth_timeout = 9 ldap_deref_threshold = 0 ...
Add the following option to the
[pam]
section:[pam] pam_id_timeout = 9
-
Save and close the
/etc/sssd/sssd.conf
file on the server. Redémarrez le service SSSD pour charger les modifications de configuration.
[root@client ~]# systemctl restart sssd
Ressources supplémentaires