On Thu, 2012-05-31 at 06:50 +0000, GOLLSCHEWSKY, Tim wrote:
Hi SSSD Users.
I'm trying to increase the performance of my user's logins, we have a medium
sized Active Direcctory.
According to the man page, the enumerate directive:
enumerate (bool)
Determines if a domain can be enumerated. This parameter can have one of
the following values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
However when I start sssd with no cache and simulate an initgroups, it still seems to
enumerate many
many groups and user accounts.
I'm running sssd v1.8.4:
# pkill sssd
# pgrep sssd
# pwd
/apps/sssd-1.8.4
# rm -f var/lib/sss/db/*
# grep enumerate /etc/sssd/sssd.conf
enumerate = FALSE
# grep ldap_access /etc/sssd/sssd.conf
ldap_access_filter =
memberOf=cn=xxxgroup,ou=yyyOU,ou=zzzOU,ou=Groups,dc=aaa,dc=bbb,dc=ccc
# sbin/sssd -c /etc/sssd/sssd.conf
# su - myuser -c "groups | wc"
1 193 1181
# strings var/lib/sss/db/cache_AAA.BBB.CCC.ldb | grep OU=Groups,DC=aaa,DC=bbb,DC=ccc |
sort -u | wc -l
522
# strings var/lib/sss/db/cache_AAA.BBB.CCC.ldb | grep OU=Accounts,DC=aaa,DC=bbb,DC=ccc
| sort -u | wc -l
1938
Sorry for my use of strings and sort -u, I don't know a better way to interrogate the
cache.
Why does it still enumerate so many users and groups (that are not me, and not in my
ldap_access_filter) when I log in? Even when
I have disabled domain enumeration?
As Jakub suggested, your investigation is slightly flawed. I'm guessing
your version of "simulating an initgroups" is by running 'id username'.
This is actually different from initgroups. What this does is an
initgroups() call followed by a loop to look up every group that the
user is a member of.
The net effect of this is that by doing this, we're also doing a lookup
of all the users in those groups (we don't have a choice in this,
because RFC2307bis servers can have other groups as a member and we
cannot know which we're dealing with until we request it).
Most of what you're seeing in the 'strings' are actually what we call
"fake" users though. They're users we've saved a minimal set of data
about in the cache so that we can maintain our member/memberOf linkages
so that group lookups work properly.
Also, you get many more results when grepping on the search base there
because it will appear in multiple places among groups and users. Groups
will have it listed as the 'originalDN' attribute, but every user that
is a member of those groups will also have an 'originalMemberOf' entry
pointing at that subtree as well. This is also the reason you're seeing
groups that your initial user doesn't belong to. It's showing up in the
originalMemberOf attribue of these fake users.
So if you want to get a better view of what is happening, use the
ldb-tools as Jakub said. Also, if you want to test JUST initgroups(),
use the 'id -G' command instead of the bare 'id' command. This will skip
the individual group lookups and save you a lot of trouble.