Jakub Hrozek wrote:
On Mon, Sep 21, 2015 at 07:02:05PM +0200, Michael Ströder wrote:
> HI!
>
> Is it possible to let sssd always fetch all user entries by using the
> dereference control on all visible groups?
>
> ldap_deref_threshold = 1 ?
Yes, this should do the trick with rfc2307bis or derivatives (IPA, AD,
..)
Hmm, I still see searches with filter
(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))
sent by sssd (currently testing with 1.13.0, see config below).
I had hoped to switch off user searches completely at least after initializing
the cache. Do I have to tweak caching/enumeration parameters?
Ciao, Michael.
--------------------------------- snip ---------------------------------
[sssd]
config_file_version = 2
services = nss, pam, ssh, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = AE-DIR
[local]
create_homedir = true
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
[domain/AE-DIR]
id_provider = ldap
auth_provider = ldap
debug_level = 7
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = true
ldap_tls_cacert = /etc/ssl/certs/stroeder.com-server-ca-2009-07.crt
ldap_tls_cert = /etc/sssd/ae-client1.example.org.crt
ldap_tls_key = /etc/sssd/ae-client1.example.org.key
ldap_auth_use_start_tls = True
ldap_id_use_start_tls = True
ldap_uri = ldap://ldap.example.com:2342
ldap_sasl_mech = EXTERNAL
ldap_search_base = ou=ae-dir
ldap_schema = rfc2307bis
ldap_user_object_class = posixAccount
ldap_group_object_class = posixGroup
# avoid protocol incompatibilities with newer sssd versions by disabling deref:
ldap_deref_threshold = 1
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_user_ssh_public_key = sshPublicKey
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = true
ldap_purge_cache_timeout = 3