CODEWITHSUNDEEP
linuxgoogle-cloud-platformldapsssd
elmaia
elmaia

Reputation: 11

Goodle LDAP on Linux using SSSD and PAM is taking too long to login

In the past I was using Samba with zero problems, but since I migrated to GCP and started using LDAP I have had some problems. I hope you can help me.

Our school has a domain at GCP and we are using many services, one of them being LDAP.

Organizational Units:
- Technical School
  - Technical School - Students
  - Technical School - Internals
  - Technical School - Teachers
  - Technical School - Projects
  - Technical School - Technicians

Users:
- Many, over 1,000 users

Groups: Most of them are Dynamic Groups, like:
- Students: (user.org_unit_id==orgUnitId('sanitized_info')) && user.suspended == false

In order to enable login on Linux Ubuntu 20.04.6 LTS using LDAP, we setup

/etc/sssd/sssd.conf

[sssd]
services = nss,pam,sudo
domains = ourdomain.org

[domain/ourdomain.org]
ldap_tls_cert = /var/lib/ldap/domain.crt
ldap_tls_key = /var/lib/ldap/domain.key
ldap_uri = ldaps://ldap.google.com
ldap_search_base = dc=ourdomain,dc=org
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID
ldap_groups_use_matching_rule_in_chain = true
ldap_initgroups_use_matching_rule_in_chain = true
ldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3
ldap_referrals = False
ldap_group_nesting_level = 0
fallback_homedir = /home/%u@%d
use_fully_qualified_names = True
create_homedir = True
auto_private_groups = true
#override_homedir = /home/%u@%d
override_shell = /bin/bash

[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

Everything is working, but it takes about 10 minutos per login. I enabled debug_level and it seems that its downloading everything about every user, every time.

By the way, how do I link a LDAP group to a Linux group? I want users from OU "Technical School - Technicians" have sudo permissions. I have a Dynamic group named as "Tech" which has same users from OU.

Thanks.

I tried some combinations of these settings, with no success.

ldap_referrals = False
ldap_group_nesting_level = 0
auto_private_groups = true

Upvotes: 0

Views: 637

Answers (1)

Hasan Aliyev
Hasan Aliyev

Reputation: 51

In your case it can take long time if there are a lot of users. You can change this ldap_search_base field to a specific OU. That should work faster. Additionally enable credentials caching with cache_credentials = True.

I have the same issue with sudo commands. As a workaround, I:

  1. Added ldap_group_search_base = "Some OU"
  2. test if this work with getent group "group name"
  3. if works add group in /etc/sudoers file
  4. In nsswitch.conf file add sss to groups directive. Now it will work like these groups are local.

Upvotes: 0

Related Questions