Problem with large Active Directory

HarzDriver · January 14, 2020, 1:55am

NethServer release 7.7.1908
Kernel release 3.10.0-1062.9.1.el7.x86_64
Active Directory remote accounts provide

After the domain connection to a very large domain (300,000 users), listing the accounts takes an extremely long time (several hours).

tasks with >60%:
list-users & count-accounts

You can then no longer log on via the web interface port 980, or log on takes a few hours.
The 9090 web interface works, but it takes a long time to call up modules.
Can you limit the connection to a domain to an OU?!

Thx & greetings,
Tim

HarzDriver · January 14, 2020, 8:45am

m.traeumner · January 14, 2020, 8:47am

@support_team Is it possible?

davidep · January 14, 2020, 10:24am

Really? 300.000 is a huge number of users, it’s far more than a “small-medium enterprise”. At that scale it is not possible to list every user on the same page without hitting some resource/time limit.

In my tests I assume 10.000 users that is a respectable number.

Yes it is possible, but I cannot ensure the restriction is observed by all applications.

Log in as root
Go to Users&Groups > Account Provider > Edit provider

There should appear be a similar dialog window:

As you have so many users probably the page never loads… Go to a root shell and type

config setprop sssd UserDN 'ou=this,dc=example,dc=com' GroupDN 'ou=this,dc=example,dc=com'
signal-event nethserver-sssd-save

To get a list of users in json format

/usr/libexec/nethserver/list-users

pike · January 14, 2020, 1:13pm

Sorry @davidep but into your post is not understandable by me how this operation could parse or chunk the number of users retrieved…

By bad, after a re-read i found that

config setprop sssd UserDN 'ou=this,dc=example,dc=com' GroupDN 'ou=this,dc=example,dc=com'
signal-event nethserver-sssd-save

contains the word this for identify the selected OU

davidep · January 14, 2020, 3:59pm

“this” is just a placeholder: replace it with the actual OU name, along with the rest of the DN suffix.

robb · January 14, 2020, 8:22pm

Do I understand it correctly that you narrow down the base DN to a OU where a limited amount of users are in?

davidep · January 14, 2020, 9:03pm

Yes but I’m not sure everything works correctly. Maybe @nrauso can shed some light!

nrauso · January 15, 2020, 3:09pm

Exactly: AFAIK you can easily reduce the number of synced users and groups through the OUs filtering.

No problems found, till now!

HarzDriver · January 16, 2020, 1:12am

Yes, there are so many users in the entire forest.
Even so, it was not quite right.
In one specific subdomain there may be only 100,000 users - but still too many.

According to Microsoft, we have the largest “contiguous” Active Directory worldwide.
And this is almost too big.

I’m going to test the OU filter.
Many thanks for the help.

I had seen a similar clue in Nextcloud. LDAP-Filter

pike · January 17, 2020, 9:32am

Holy Kamoly!