Op 28 jan. 2016, om 13:38 heeft Angel Bosch abosch@ticmallorca.net het volgende geschreven:
I wonder how this is done. In our case we have the requirement to list the users that are enabled for a system. Currently, both “getent passwd” and “getent group” do not show these users without enumeration. I don’t mind doing an iterative approach from either side (ie. group or user), but how do I know these users/groups beforehand so I have a starting position?
In our environment we do that kind of listing in lot of scripts on server side using direct ldap searches.
like in:
USER_FULL_LIST=`ldapsearch -x -LLL -h $LDAP_SERVER -b "dc=global" "(mail=*@somedomain.net)" uid | grep "^uid: " | cut -d" " -f2- | sort`
even if we have sssd configured, we prefer that approach. and we generally don't allow such kind of searches on the client (desktop) side.
maybe if you give some more info about what you need to achieve we can give you more accurate solutions.
anyway, I don't know how hard is to mantain this code but I don't like leting enumeration go away and I think software should always give options, not remove them. is the admin's job to decide if something can harm a system or not.
Our environment is a Hadoop cluster with FreeIPA as an identity provider with a trust against the corporate active directory. Business roles are created and reflected in active directory and then mapped to IPA. As mentioned in another thread one of the Hadoop components (Ranger) syncs all users and groups (including GIDs) on a regular basis to provide authorization.
We like the end to end security IPA provides for us (ie. across OS and Hadoop) and we prefer to use IPA as our source of truth, instead of a mashup of several sources, making sure the loop stays closed.
I would be able to do ldap searches on AD if IPA tells me where, but it also requires additional authentication which I would prefer sssd or IPA to handle.