On Wed, May 6, 2015 at 3:10 PM, Stephen Gallagher <sgallagh(a)redhat.com> wrote:
To be fair, it's not that hard to turn that [ldapsearch command]
into a bash script that your users can use instead of learning the
ldap syntax. But yes, that's still a change in behavior.
We could, but I think just using the ldapsearch command would cause
less confusion in the long run.
Well, as the original post to this list noted, this is already
broken, with no way to fix it. When we're talking to LDAP, there's
no guarantee that the server will actually let us get all of the
results. Many servers are configured with a limited number of
records we can retrieve (though we work around that with paging
controls on servers that support them). With AD, we can only
enumerate the domain the host is joined to. If your users aren't
part of the same domain as the host, enumeration won't find them.
I get it: there are multiple reasons why enumeration might not work in
a particular environment, and it might not be obvious (until you try
it) whether it will work.
But it *does* work for us. And it works for others.
Does it really make sense to remove a useful feature just because
there are corner cases in which it doesn't work?
(Hell, more than half of the Linux kernel code would have to be
excised if that's the standard we're using.)
I mean, how much time are the sssd developers spending fielding
complaints about enumeration not working correctly? If the answer is
"little to none", and the limitations are clearly spelled out (which
they are), what harm is there in leaving it enabled?
> [W]e have many systems that cannot be joined to Active
> (for policy reasons, not technical reasons).
Sorry to sound glib, but "fix your policy". Let's be honest, any
policy that boils down to "These machines are not allowed to
function with proper security controls" is one that can only end in
Actually, the policy is a component of proper security controls.
(Which is why the policy won't change.)
> I'm not asking you to make enumeration the default. It
> be; it should be something you only turn on if you need it, and
> you KNOW you need it. But if you need it, you NEED it. Please
> don't take it away.
If you need it, you're already in bad shape. Have you heard the
adage "If someone is irreplaceable, replace them immediately"? The
same is true for software. If you have a bad system in place, it's
best to rip it out as fast as possible, because otherwise the
problem will continue to grow, accruing technical debt you can never
hope to manage.
Let me rephrase: to us, enumeration is a highly desirable feature, and
sssd nicely provides that feature.
Could we survive if sssd removed enumeration? Yes. I could cobble
something together to perform a global LDAP search against AD, extract
the usernames and groupnames from the returned objects, and then
perform a bajillion getpwnam(3) and getgrnam(3) calls on the object
But sssd already does that for us. And it does it more reliably, with
less overhead, than whatever replacement I could throw together.
This is one of those cases: every band-aid we apply to the
enumeration support causes this to limp along on life-support and
provides consumers a false sense that this is something they can
I would argue that enumeration *is* reliable: if it works for your
configuration, it will work each time, every time.
I think what you mean is, "enumeration will only work for certain
configurations". That's a fair statement, but it's not the same thing