HI!
Is it possible to let sssd always fetch all user entries by using the dereference control on all visible groups?
ldap_deref_threshold = 1 ?
Is the dereference control already available in sssd 1.9.6?
Ciao, Michael.
On Mon, Sep 21, 2015 at 07:02:05PM +0200, Michael Ströder wrote:
HI!
Is it possible to let sssd always fetch all user entries by using the dereference control on all visible groups?
ldap_deref_threshold = 1 ?
Yes, this should do the trick with rfc2307bis or derivatives (IPA, AD, ..)
Is the dereference control already available in sssd 1.9.6?
Yes.
Jakub Hrozek wrote:
On Mon, Sep 21, 2015 at 07:02:05PM +0200, Michael Ströder wrote:
HI!
Is it possible to let sssd always fetch all user entries by using the dereference control on all visible groups?
ldap_deref_threshold = 1 ?
Yes, this should do the trick with rfc2307bis or derivatives (IPA, AD, ..)
Hmm, I still see searches with filter (&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*)) sent by sssd (currently testing with 1.13.0, see config below).
I had hoped to switch off user searches completely at least after initializing the cache. Do I have to tweak caching/enumeration parameters?
Ciao, Michael.
--------------------------------- snip --------------------------------- [sssd] config_file_version = 2 services = nss, pam, ssh, sudo
# SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. domains = AE-DIR
[local] create_homedir = true
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam]
[domain/AE-DIR]
id_provider = ldap auth_provider = ldap
debug_level = 7
# Note that enabling enumeration will have a moderate performance impact. # Consequently, the default value for enumeration is FALSE. # Refer to the sssd.conf man page for full details. enumerate = true
ldap_tls_cacert = /etc/ssl/certs/stroeder.com-server-ca-2009-07.crt ldap_tls_cert = /etc/sssd/ae-client1.example.org.crt ldap_tls_key = /etc/sssd/ae-client1.example.org.key ldap_auth_use_start_tls = True ldap_id_use_start_tls = True
ldap_uri = ldap://ldap.example.com:2342 ldap_sasl_mech = EXTERNAL
ldap_search_base = ou=ae-dir
ldap_schema = rfc2307bis
ldap_user_object_class = posixAccount ldap_group_object_class = posixGroup
# avoid protocol incompatibilities with newer sssd versions by disabling deref: ldap_deref_threshold = 1
ldap_user_home_directory = homeDirectory ldap_user_shell = loginShell ldap_user_ssh_public_key = sshPublicKey
# Allow offline logins by locally storing password hashes (default: false). cache_credentials = true
ldap_purge_cache_timeout = 3
Michael Ströder wrote:
Jakub Hrozek wrote:
On Mon, Sep 21, 2015 at 07:02:05PM +0200, Michael Ströder wrote:
Is it possible to let sssd always fetch all user entries by using the dereference control on all visible groups?
ldap_deref_threshold = 1 ?
Yes, this should do the trick with rfc2307bis or derivatives (IPA, AD, ..)
Hmm, I still see searches with filter (&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*)) sent by sssd (currently testing with 1.13.0, see config below).
I had hoped to switch off user searches completely at least after initializing the cache. Do I have to tweak caching/enumeration parameters?
For the records:
It seems with enumerate = false the behaviour is more like what I want to achieve.
At least if sssd queries the group entry first (caused by getent group name) there is absolutely no query with filter (objectClass=posixAccount).
Ciao, Michael.
On Tue, Sep 22, 2015 at 02:03:09PM +0200, Michael Ströder wrote:
Michael Ströder wrote:
Jakub Hrozek wrote:
On Mon, Sep 21, 2015 at 07:02:05PM +0200, Michael Ströder wrote:
Is it possible to let sssd always fetch all user entries by using the dereference control on all visible groups?
ldap_deref_threshold = 1 ?
Yes, this should do the trick with rfc2307bis or derivatives (IPA, AD, ..)
Hmm, I still see searches with filter (&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*)) sent by sssd (currently testing with 1.13.0, see config below).
I had hoped to switch off user searches completely at least after initializing the cache. Do I have to tweak caching/enumeration parameters?
For the records:
It seems with enumerate = false the behaviour is more like what I want to achieve.
Ah, sorry, I missed that you're trying to use enumerate=true. Yeah, that doesn't use deref, the code is actually much simpler: * ldapsearch all users * ldapsearch all groups * establish the user-group memberships in the cache
At least if sssd queries the group entry first (caused by getent group name) there is absolutely no query with filter (objectClass=posixAccount).
Yep, we search the group entry and then dereference its members.
Jakub Hrozek wrote:
On Tue, Sep 22, 2015 at 02:03:09PM +0200, Michael Ströder wrote:
For the records:
It seems with enumerate = false the behaviour is more like what I want to achieve.
Ah, sorry, I missed that you're trying to use enumerate=true.
No problem. Actually enumerate = true was just in my local test installations.
At least if sssd queries the group entry first (caused by getent group name) there is absolutely no query with filter (objectClass=posixAccount).
Yep, we search the group entry and then dereference its members.
The production sssd configuration has enumerate = false. Tested only with 1.13.0 so far. If it also reliably works with 1.9.6 I'm quite happy with it.
Hm, in Æ-DIR [1] I also explicitly define the sudoers entries visible for a certain server group. Would be nice if I could use a deref spec like aeSrvGroup:aeVisibleSudoers to search for getting all sudoers entries more efficiently. I probably would have to implement an extra sssd backend similar to sssd-ipa for this.
[1] http://www.stroeder.com/publications.html#gpn15
Ciao, Michael.
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Michael Ströder