Following up on an issue from a while ago…
On Thu, May 14, 2015 at 9:32 PM, Stephen Gallagher <sgallagh(a)redhat.com> wrote:
[T]he SSSD developers are spending a moderate amount of time dealing
with bugs in it [enumeration], first of all. Secondly, the
limitations aren't really clearly spelled out. We probably need to
expand the manpages to describe how poorly this feature works.
Right now, it only describes the negative performance impact, but
not the fact that it simply doesn't work in some environments.
And the harm to leaving it enabled is that failures in the
enumeration code are generally *silent* and therefore hard to debug.
When an enumeration only completes partially, there's no way to
know. If you have a system that is basing access control on a user
being in (or not in) a particular group read through enumeration,
then this may result in a security issue. (Example: you explicitly
disallow members of the "untrusted" group from accessing sensitive
machines. However, user jappleseed should be in this group, but
enumeration didn't pick him up because of a peculiarity of
cross-realm interaction. Now jappleseed has access to a sensitive
machine. Ouch.)
After spending many months running with enumeration enabled, we
reached the conclusion that the cost of enumeration wasn't worth it,
and disabled it.
We didn't encounter any of the corner cases where enumeration doesn't
work, silently fails, returns incomplete group information, et. al.
But what we *did* notice is that sssd pounded the host when
enumeration was enabled, even if the host was otherwise idle. (We had
a non-trivial number of mostly-idle hosts where sssd had the most CPU
consumption of any service running on the system.)
While it is currently somewhat of a pain to perform iterative
enumeration (due to cache performance issues), for the handful of
hosts where we need to be enumerate all AD users and groups, it's
still a better alternative than enabling enumeration in sssd and
having it pound the hosts.
In conclusion, we no longer care if the enumeration feature is removed
from sssd, because we are no longer using it.