Hi Jakub and Stephen,
Thanks for your responses.
Stephen wrote:
> Why does it still enumerate so many users and groups (that are
not
> me, and not in my ldap_access_filter) when I log in? Even when I have disabled
domain enumeration?
As Jakub suggested, your investigation is slightly flawed. I'm guessing your version
of "simulating an initgroups" is by running 'id username'.
This is actually different from initgroups. What this does is an
initgroups() call followed by a loop to look up every group that the user is a member of.
OK, thanks. I see now I've been using the wrong method to test this.
You guys have suggested "id -G" or actually logging in. "id -G"
doesnt seem to have the same effect on SSSD that actually logging in has. "id
-G" returns quite quickly, whereas a normal ssh login takes a very long time as SSSD
goes nuts performing user lookups on our AD (for hundreds of users that aren't even
logging into the server at the time).
I'll ensure all my testing from now on is an actual ssh login and not the
"groups" command.
The net effect of this is that by doing this, we're also doing a
lookup of all the users in those groups (we don't have a choice in this, because
RFC2307bis servers can have other groups as a member and we cannot know which we're
dealing with until we request it).
Yes this is what I'm seeing. But is this also the case when I have disabled
nesting?
# grep nesting /etc/sssd/sssd.conf
ldap_group_nesting_level = 0
All our LDAP groups in the Unix OU have been flattened specifically to negate the need for
nested searching and (hopefully) increase performance.
Most of what you're seeing in the 'strings' are actually
what we call "fake" users though. They're users we've saved a minimal
set of data about in the cache so that we can maintain our member/memberOf linkages so
that group lookups work properly.
OK thanks, that makes sense. So when you get the results from a group search, you create
"fake" entries for those users.
Can I ask why SSSD still performs an LDAP lookup for each of these "fake" users?
Since none of these users are actually logging in at the time, it seems
to penalise the user who is logging in because sshd(& pam) blocks waiting for a
response from SSSD.
I'm just installed ldb-tools (this is going to make interrogating the cache much
easier!) and I can see fullname and gecos information for almost 2000 users after I clear
the cache log in with my login user.
# pkill sssd
# rm -f var/lib/sss/db/*
# sbin/sssd -c /etc/sssd/sssd.conf
# ssh myuser@0 date
Fri Jun 1 10:48:56 EST 2012
# ldbsearch -H var/lib/sss/db/cache_AAA.BBB.CCC.ldb 'objectclass=user' | grep
^gecos | wc -l
asq: Unable to register control with rootdse!
1937
I can confirm SSSD is doing ldap user lookups for all the "fake" users by
turning on debug.
This goes back to my original question. When I have enumerate disabled, why does SSSD
still look up all this fake user information in LDAP? And is there any way to disable it
from doing so?
Thanks for your help.
Tim.
________________________________
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related
entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at
suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not
necessarily reflect the view of Suncorp. The content, including attachments, is a
confidential communication between Suncorp and the intended recipient. If you are not the
intended recipient, any use, interference with, disclosure or copying of this e-mail,
including attachments, is unauthorised and expressly prohibited. If you have received this
e-mail in error please contact the sender immediately and delete the e-mail and any
attachments from your system.