On Thu, May 31, 2012 at 06:50:55AM +0000, GOLLSCHEWSKY, Tim wrote:
Hi SSSD Users.
I'm trying to increase the performance of my user's logins, we have a medium
sized Active Direcctory.
According to the man page, the enumerate directive:
Determines if a domain can be enumerated. This parameter can have one of
the following values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
I think there is some confusion with the terminology the SSSD uses.
"enumerate=true" for SSSD means "download all data in the directory
However when I start sssd with no cache and simulate an initgroups,
it still seems to enumerate many
many groups and user accounts.
I assume that you simulated initgroups with id -G or logging in?
I'm running sssd v1.8.4:
# pkill sssd
# pgrep sssd
# rm -f var/lib/sss/db/*
# grep enumerate /etc/sssd/sssd.conf
enumerate = FALSE
# grep ldap_access /etc/sssd/sssd.conf
The access filter only tells the SSSD who can log in, it doesn't have
effect on the data downloaded.
Since SSSD 1.7, the SSSD allows specifying filter as part of the search
base. For example, to only download users that are members of a particular
The format is as per RFC2254. See man sssd-ldap for more details.
# sbin/sssd -c /etc/sssd/sssd.conf
# su - myuser -c "groups | wc"
1 193 1181
# strings var/lib/sss/db/cache_AAA.BBB.CCC.ldb | grep OU=Groups,DC=aaa,DC=bbb,DC=ccc |
sort -u | wc -l
# strings var/lib/sss/db/cache_AAA.BBB.CCC.ldb | grep OU=Accounts,DC=aaa,DC=bbb,DC=ccc
| sort -u | wc -l
Sorry for my use of strings and sort -u, I don't know a better way to interrogate the
To poke at the cache, install the ldb-tools package and use the
"ldbsearch" utility. It works much like ldapsearch:
ldbsearch -H /var/lib/sss/db/cache_AAA.BBB.CCC.ldb 'objectclass=user'
Why does it still enumerate so many users and groups (that are not me, and not in my
ldap_access_filter) when I log in? Even when
I have disabled domain enumeration?