On Wed, May 06, 2015 at 07:47:11AM +0200, Lukas Slebodnik wrote:
On (06/05/15 01:12), James Ralston wrote:
>Hi,
>
>I think this problem may be part (or related to) the "FreeIPA/SSSD
>LDAP cross-forest trust slow queries" issue, but I'm not sure.
>
>We've been testing sssd on our RHEL6 and RHEL7 hosts, using the latest
>available packages. We have a fairly simple sssd configuration. We
>use the "ad" provider with LDAP id mapping:
>
> [sssd]
> config_file_version = 2
> debug_level = 0x0070
> domains =
example.org
> services = nss, pam
>
> [nss]
> debug_level = 0x0070
> default_shell = /bin/bash
> fallback_homedir = /home/%u
>
> [pam]
> debug_level = 0x0070
>
> [
domain/example.org]
> access_provider = ad
> auth_provider = ad
> cache_credentials = true
> chpass_provider = ad
> debug_level = 0x0010
> dyndns_update = false
> enumerate = true
I Hope it was just for testing purposes. We do not recommend to enable
enumeration.
You know, just this morning, I was thinking about enumeration. It
doesn't work for IPA views at all for example. It doesn't work for
trusted domains at all either (except for some limited support in AD
trusted domains that is very untested)
I wonder if we could just remove enumeration from IPA and AD back ends
in some major release.
It's just a legacy feature, so those who need it can fall back to the
LDAP provider..