[Freeipa-devel] [PATCH 0038] increase NSS memcache timeout for IPA server
Martin Babinsky
mbabinsk at redhat.com
Wed May 27 11:40:56 UTC 2015
On 05/27/2015 01:33 PM, Lukas Slebodnik wrote:
> On (27/05/15 13:25), Martin Babinsky wrote:
>> https://fedorahosted.org/freeipa/ticket/4964
>>
>> --
>> Martin^3 Babinsky
>
>>From ef8481ee0267a720551832baae9398b435b3c6c5 Mon Sep 17 00:00:00 2001
>> From: Martin Babinsky <mbabinsk at redhat.com>
>> Date: Tue, 26 May 2015 18:11:08 +0200
>> Subject: [PATCH] increase NSS memcache timeout for IPA server
>>
>> Increasing memcache timeout to 600 seconds when configuring sssd on IPA server
>> should improve performance when dealing with large groups in trusts.
>>
>> https://fedorahosted.org/freeipa/ticket/4964
>> ---
>> ipa-client/ipa-install/ipa-client-install | 9 +++++++++
>> 1 file changed, 9 insertions(+)
>>
>> diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
>> index 63e3c9800791f3d29c977d63815c4291f5a235b9..ab3bc8a652dad01b9db5a26b877f38b850cb07f1 100755
>> --- a/ipa-client/ipa-install/ipa-client-install
>> +++ b/ipa-client/ipa-install/ipa-client-install
>> @@ -1274,6 +1274,15 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie
>> # the master should only use itself for Kerberos
>> domain.set_option('ipa_server', cli_server[0])
>>
>> + # increase memcache timeout to 10 minutes when in server mode
>> + try:
>> + nss_service = sssdconfig.get_service('nss')
>> + except SSSDConfig.NoServiceError:
>> + nss_service = sssdconfig.new_service('nss')
>> +
>> + nss_service.set_option('memcache_timeout', 600)
>> + sssdconfig.save_service(nss_service)
>> +
>
> NACK
>
> It should not be set to such high value for each client.
>
> It should be configured if and only if sssd is in the ipa-server mode
> (trust with AD)
>
> LS
>
Lukas,
it actually is set only when '--on-master' option is used, as can be
(hopefully) seen from the following code:
"""
if not options.on_master:
if options.primary:
domain.set_option('ipa_server', ', '.join(cli_server))
else:
domain.set_option('ipa_server', '_srv_, %s' % ',
'.join(cli_server))
else:
domain.set_option('ipa_server_mode', 'True')
# the master should only use itself for Kerberos
domain.set_option('ipa_server', cli_server[0])
# increase memcache timeout to 10 minutes when in server mode
try:
nss_service = sssdconfig.get_service('nss')
except SSSDConfig.NoServiceError:
nss_service = sssdconfig.new_service('nss')
nss_service.set_option('memcache_timeout', 600)
sssdconfig.save_service(nss_service)
"""
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list