I wonder how this is done. In our case we have the requirement to list the users that are enabled for a system. Currently, both “getent passwd” and “getent group” do not show these users without enumeration. I don’t mind doing an iterative approach from either side (ie. group or user), but how do I know these users/groups beforehand so I have a starting position?
In our environment we do that kind of listing in lot of scripts on server side using direct ldap searches.
like in:
USER_FULL_LIST=`ldapsearch -x -LLL -h $LDAP_SERVER -b "dc=global" "(mail=*@somedomain.net)" uid | grep "^uid: " | cut -d" " -f2- | sort`
even if we have sssd configured, we prefer that approach. and we generally don't allow such kind of searches on the client (desktop) side.
maybe if you give some more info about what you need to achieve we can give you more accurate solutions.
anyway, I don't know how hard is to mantain this code but I don't like leting enumeration go away and I think software should always give options, not remove them. is the admin's job to decide if something can harm a system or not.
abosch