8.5. Tuning SSSD in IdM clients for large IdM-AD trust deployments
This procedure applies tuning options to SSSD service configuration in an IdM client to improve its response time when retrieving information from a large AD environment.
Conditions préalables
-
Vous devez disposer des autorisations
rootpour modifier le fichier de configuration/etc/sssd/sssd.conf.
Procédure
Determine the number of seconds a single un-cached login takes.
Clear the SSSD cache on the IdM client
client.example.com.[root@client ~]# sss_cache -EMeasure how long it takes to log in as an AD user with the
timecommand. In this example, from the IdM clientclient.example.com, log into the same host as the userad-userfrom thead.example.comAD domain.[root@client ~]# time ssh ad-user@ad.example.com@client.example.comType in the password as soon as possible.
Password: Last login: Sat Jan 23 06:29:54 2021 from 10.0.2.15 [ad-user@ad.example.com@client ~]$
Log out as soon as possible to display elapsed time. In this example, a single un-cached login takes about
9seconds.[ad-user@ad.example.com@client /]$ exit logout Connection to client.example.com closed. real 0m8.755s user 0m0.017s sys 0m0.013s
-
Ouvrez le fichier de configuration
/etc/sssd/sssd.confdans un éditeur de texte. Add the following options to the
[domain]section for your Active Directory domain. Set thepam_id_timeoutandkrb5_auth_timeoutoptions to the number of seconds an un-cached login takes. If you do not already have a domain section for your AD domain, create one.[domain/example.com/ad.example.com] krb5_auth_timeout = 9 ldap_deref_threshold = 0 ...
Add the following option to the
[pam]section:[pam] pam_id_timeout = 9-
Save and close the
/etc/sssd/sssd.conffile on the server. Redémarrez le service SSSD pour charger les modifications de configuration.
[root@client ~]# systemctl restart sssd
Ressources supplémentaires
