[Freeipa-users] Another patch for ipa-sam: Excessive LDAP calls by ipa-sam during file operations

Alexander Bokovoy abokovoy at redhat.com
Sun Mar 9 19:22:52 UTC 2014 

On Sun, 09 Mar 2014, Jason Woods wrote:
>Hi,
>
>A follow up from previous email regarding my patch for ipa-sam to fix
>"valid users = " group references in the samba server that comes with
>ipa-server-trust-ad.  (Found here:
>https://www.redhat.com/archives/freeipa-users/2014-March/msg00045.html
>)
>
>I noticed that ns-slapd CPU was excessive during multi-file copies
>(like a git repository with thousands of files.) Debug level 10 logs
>showed ipa-sam was performing multiple LDAP queries per file. One for
>the user and others for the groups. Specifically in order to perform
>gid/uid<->sid lookups.
>
>I've pre-empted and raised as a bug with a proposed patch:
>https://bugzilla.redhat.com/show_bug.cgi?id=1074314
>
>It does a few things:
>1. idmap caching so the ldap calls are significantly reduced
>2. when gid lookup received for the primary user group (so where
>gid==uid), properly reflect behaviour of the initial lookup that
>happens during init by returning the Default SMB Group fallback group
>3. don't bother ldap call for uidNumber=0 (root) - since it never will
>exist in FreeIPA according to my research
>My CPU for ns-slapd is now 0. And file copies are much better and more
>like normal.
>
>This seems to fix all issues for me at the moment - and I guess all
>what remains to do is extra features to make it more like the ldapsam.
>It also looks like all that is needed to get the ipa-sam.so to work
>without FreeIPA master local - is to allow the service principal access
>to the ipaNTHash attribute. However, I can't see any current aci
>referring to principals at the moment or even grouping of them into
>types - probably because I'm taking the wrong though-path - but if
>anyone would like to discuss this that would be great.
Good. I'll take that bug and will review your patch in my queue. It
will, perhaps, take some time as I have some load with stabilization
work for 3.3.x.

Anyway, you are correct that we need a service principal to be allowed
to access it. In FreeIPA 4.0 (former 3.4) we'll have new permission
management system that should make these things easier and also SSSD
1.12 is going to give us a bit more help with Samba -- there will be
talk by Sumit Bose at SambaXP in May.

I also plan to make packaging easier by creating a sub-package for
ipasam.so so that it could be installed on an IPA client, not only on 
a server. Ideally, with a tool that sets up Samba like
ipa-adtrust-server does, complete with creating all principals and
permissions.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list