Configure OMV 4.1.3 with AD 10000+ users

    • Configure OMV 4.1.3 with AD 10000+ users

      First of all. I apologizy for my very bad english :)


      I try install OMV 4.1.3 by iso on VM.

      After installing and configuration connect with AD on Windows Server 2008R2 by this manual - wishzone.net/all/openmediavaul…-a-windows-2008r2-domain/

      After connecting I got problem with function getUserList, that takes more then 10 minuts. And how I understand this problem is in this function:

      PHP Source Code: /usr/share/openmediavault/engined/rpc/usermgmt.inc

      1. function getUserList($params, $context) {
      2. // Validate the RPC caller context.
      3. $this->validateMethodContext($context, [
      4. "role" => OMV_ROLE_ADMINISTRATOR
      5. ]);
      6. // Validate the parameters of the RPC service method.
      7. $this->validateMethodParams($params, "rpc.common.getlist");
      8. // Get the list of non-system user.
      9. $users = $this->enumerateUsersByType("normal");
      10. // Process users and append additional information stored in
      11. // the database.
      12. foreach ($users as $userk => &$userv) {
      13. // Set the defaults of the additional information.
      14. $userv = array_merge($userv, [
      15. "email" => "",
      16. "disallowusermod" => FALSE,
      17. "sshpubkeys" => []
      18. ]);
      19. // Get additional information stored in database.
      20. $db = \OMV\Config\Database::getInstance();
      21. $objects = $db->getByFilter("conf.system.usermngmnt.user", [
      22. "operator" => "stringEquals",
      23. "arg0" => "name",
      24. "arg1" => $userv['name']
      25. ]);
      26. if (0 < count($objects)) {
      27. // Get the user configuration object. Due the fact that a user
      28. // name is unique, we can simply use the first found object.
      29. $object = $objects[0];
      30. // Append additional information.
      31. $userv['email'] = $object->get("email");
      32. $userv['disallowusermod'] = $object->get("disallowusermod");
      33. if (FALSE === $object->isEmpty("sshpubkeys"))
      34. $userv['sshpubkeys'] = $object->get("sshpubkeys.sshpubkey");
      35. }
      36. }
      37. // Filter the result.
      38. return $this->applyFilter($users, $params['start'],
      39. $params['limit'], $params['sortfield'], $params['sortdir']);
      40. }
      Display All
      She geting list of all users from AD and append additional information from local-db. => Getting list Users continue very long time.



      Second variant configuration that I used was by this manual - Guide to OMV 4 Active Directory Integration

      But in this case I don't got list of users because sssd load one core on 100% (with param enumerate = True) or return nothing (with param enumerate = False)


      In last Idea was use plugin openmediavault-ldap, but in this case i don't get list of users too.



      Maybe there is someone here who configure OMV with AD 10000+ users, and can help with configuration.

      Thank you :)
    • I don't have 10000 users so take this with a grain of salt. I use sssd instead of winbind. It is a much newer way of doing things. I have a script in this thread that works for most windows ad. forum.openmediavault.org/index…Directory-LDAP-Revisited/ You might have to tune it for 10000 users.

      Also see this forum.openmediavault.org/index…highlight=ldap#post180760


      Please let me know if you find anything that should be in the script.
      If you make it idiot proof, somebody will build a better idiot.
    • OMV is not designed to manage 10000+ users.
      Absolutely no support through PM!

      I must not fear.
      Fear is the mind-killer.
      Fear is the little-death that brings total obliteration.
      I will face my fear.
      I will permit it to pass over me and through me.
      And when it has gone past I will turn the inner eye to see its path.
      Where the fear has gone there will be nothing.
      Only I will remain.

      Litany against fear by Bene Gesserit
    • Again I have not used this with more than 100 users and 5 groups. "OMV is not designed to manage 10000+ users." Managing users and groups is not my goal. That is better left to the various ldap / ad servers. sssd enumerates the users and groups for access rights to the shares. That is all debian and not depentant on OMV code. It works great for me. The speed is the question with 10,000 users. sssd has been trying to improve speed for some time. I don't know what the limit is.

      The only way to know if this works for you is to try.
      If you make it idiot proof, somebody will build a better idiot.
    • donh wrote:

      sssd has been trying to improve speed for some time. I don't know what the limit is.
      At work, we use sssd connected to LDAP (sync'd from AD) with more than 10k users on Linux systems. Works well but we never try to enumerate all of them into a paginated web interface. I do have a couple of sssd Linux systems connecting to AD and while it seems to be just as fast as LDAP, it is very problematic. sssd has to be restarted at least five times a week. This happens on Ubuntu 16/18 and CentOS/RHEL 7.
      omv 4.1.15 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • ryecoaaron wrote:

      donh wrote:

      sssd has been trying to improve speed for some time. I don't know what the limit is.
      At work, we use sssd connected to LDAP (sync'd from AD) with more than 10k users on Linux systems. Works well but we never try to enumerate all of them into a paginated web interface. I do have a couple of sssd Linux systems connecting to AD and while it seems to be just as fast as LDAP, it is very problematic. sssd has to be restarted at least five times a week. This happens on Ubuntu 16/18 and CentOS/RHEL 7.
      With 10,000 users it is probably better to use groups than users. Don't know if sssd can only enumerate groups. That should speed it up if possible.

      "This happens on Ubuntu 16/18 and CentOS/RHEL 7." Try debian. LOL Seriously it is probably the windows servers.

      Will be interesting to see what the op finds.
      If you make it idiot proof, somebody will build a better idiot.