On Wed, May 6, 2015 at 3:10 PM, Stephen Gallagher sgallagh@redhat.com wrote:
To be fair, it's not that hard to turn that [ldapsearch command] into a bash script that your users can use instead of learning the ldap syntax. But yes, that's still a change in behavior.
We could, but I think just using the ldapsearch command would cause less confusion in the long run.
Well, as the original post to this list noted, this is already broken, with no way to fix it. When we're talking to LDAP, there's no guarantee that the server will actually let us get all of the results. Many servers are configured with a limited number of records we can retrieve (though we work around that with paging controls on servers that support them). With AD, we can only enumerate the domain the host is joined to. If your users aren't part of the same domain as the host, enumeration won't find them.
I get it: there are multiple reasons why enumeration might not work in a particular environment, and it might not be obvious (until you try it) whether it will work.
But it *does* work for us. And it works for others.
Does it really make sense to remove a useful feature just because there are corner cases in which it doesn't work?
(Hell, more than half of the Linux kernel code would have to be excised if that's the standard we're using.)
I mean, how much time are the sssd developers spending fielding complaints about enumeration not working correctly? If the answer is "little to none", and the limitations are clearly spelled out (which they are), what harm is there in leaving it enabled?
[W]e have many systems that cannot be joined to Active Directory (for policy reasons, not technical reasons).
Sorry to sound glib, but "fix your policy". Let's be honest, any policy that boils down to "These machines are not allowed to function with proper security controls" is one that can only end in disaster.
Actually, the policy is a component of proper security controls. (Which is why the policy won't change.)
I'm not asking you to make enumeration the default. It shouldn't be; it should be something you only turn on if you need it, and you KNOW you need it. But if you need it, you NEED it. Please don't take it away.
If you need it, you're already in bad shape. Have you heard the adage "If someone is irreplaceable, replace them immediately"? The same is true for software. If you have a bad system in place, it's best to rip it out as fast as possible, because otherwise the problem will continue to grow, accruing technical debt you can never hope to manage.
Let me rephrase: to us, enumeration is a highly desirable feature, and sssd nicely provides that feature.
Could we survive if sssd removed enumeration? Yes. I could cobble something together to perform a global LDAP search against AD, extract the usernames and groupnames from the returned objects, and then perform a bajillion getpwnam(3) and getgrnam(3) calls on the object names.
But sssd already does that for us. And it does it more reliably, with less overhead, than whatever replacement I could throw together.
This is one of those cases: every band-aid we apply to the enumeration support causes this to limp along on life-support and provides consumers a false sense that this is something they can rely upon.
I would argue that enumeration *is* reliable: if it works for your configuration, it will work each time, every time.
I think what you mean is, "enumeration will only work for certain configurations". That's a fair statement, but it's not the same thing as "unreliable".