HI!
I'm seeing searches like this sent by sssd to the LDAP server:
(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))
Likely this is because some of the server admins set in sssd.conf:
enumerate = true
While it's debatable to disable enumeration I wonder how one can avoid that
sssd uses the filter above.
Since all three attributes are mandantory in objectClass posixAccount anyway
it would be sufficient to do a user numeration search just with filter
(objectClass=posixAccount) because there cannot be an entry without any of
these attributes.
I'm asking because it turned out that the LDAP server's processing of
(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*)) is two times
slower than just (objectClass=posixAccount).
Ciao, Michael.
Attachments:
- smime.p7s
(application/pkcs7-signature — 2.3 KB)