Problem with large Active Directory

NethServer release 7.7.1908
Kernel release 3.10.0-1062.9.1.el7.x86_64
Active Directory remote accounts provide

After the domain connection to a very large domain (300,000 users), listing the accounts takes an extremely long time (several hours).

tasks with >60%:
list-users & count-accounts

You can then no longer log on via the web interface port 980, or log on takes a few hours.
The 9090 web interface works, but it takes a long time to call up modules.
Can you limit the connection to a domain to an OU?!

Thx & greetings,

@support_team Is it possible?

Really? 300.000 is a huge number of users, it’s far more than a “small-medium enterprise”. At that scale it is not possible to list every user on the same page without hitting some resource/time limit.

In my tests I assume 10.000 users that is a respectable number.

Yes it is possible, but I cannot ensure the restriction is observed by all applications.

  • Log in as root
  • Go to Users&Groups > Account Provider > Edit provider

There should appear be a similar dialog window:


As you have so many users probably the page never loads… Go to a root shell and type

config setprop sssd UserDN 'ou=this,dc=example,dc=com' GroupDN 'ou=this,dc=example,dc=com'
signal-event nethserver-sssd-save

To get a list of users in json format


Sorry @davidep but into your post is not understandable by me how this operation could parse or chunk the number of users retrieved…

By bad, after a re-read i found that

config setprop sssd UserDN 'ou=this,dc=example,dc=com' GroupDN 'ou=this,dc=example,dc=com'
signal-event nethserver-sssd-save

contains the word this for identify the selected OU

“this” is just a placeholder: replace it with the actual OU name, along with the rest of the DN suffix.

Do I understand it correctly that you narrow down the base DN to a OU where a limited amount of users are in?

Yes but I’m not sure everything works correctly. Maybe @nrauso can shed some light!

Exactly: AFAIK you can easily reduce the number of synced users and groups through the OUs filtering.

No problems found, till now! :slight_smile:

1 Like

Yes, there are so many users in the entire forest.
Even so, it was not quite right.
In one specific subdomain there may be only 100,000 users - but still too many.

According to Microsoft, we have the largest “contiguous” Active Directory worldwide.
And this is almost too big.

I’m going to test the OU filter.
Many thanks for the help.

I had seen a similar clue in Nextcloud.LDAP-Filter

Holy Kamoly!

1 Like