On Wed, May 06, 2015 at 03:10:05PM -0400, Stephen Gallagher wrote:
----- Original Message -----
> From: "James Ralston" <ralston(a)pobox.com>
> To: "End-user discussions about the System Security Services Daemon"
> Sent: Wednesday, May 6, 2015 1:28:35 PM
> Subject: [SSSD-users] please do not remove enumeration from AD provider
> On Wed, May 6, 2015 at 4:27 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> > You know, just this morning, I was thinking about enumeration. It
> > doesn't work for IPA views at all for example. It doesn't work for
> > trusted domains at all either (except for some limited support in AD
> > trusted domains that is very untested)
> > I wonder if we could just remove enumeration from IPA and AD back
> > ends in some major release.
> Please don't do this.
> Enumeration is a very useful feature. It allows us to do things like
> $ getent passwd | grep -i lastname
> The equivalent ldapsearch command is much more tedious:
> $ ldapsearch -z 0 -E pr=2147483647/noprompt -o ldif-wrap=no -L -L -H
> 'ldap:///dc%3Dexample%2Cdc%3Dorg -Y GSSAPI -N -b "dc=example,dc=org"
> "(&(objectClass=user)(cn=*lastname*))" dn cn sAMAccountName
To be fair, it's not that hard to turn that into a bash script that your users can
use instead of learning the ldap syntax. But yes, that's still a change in behavior.
> More generically, enumeration is the way Unix/Linux has always worked.
> Even getting users to change from:
> grep -i lastname /etc/passwd
> To this:
> getent passwd | grep -i lastname
> ...has been a struggle.
> We also have various services that (unfortuantely) pre-load the passwd
> and group files at startup by enumerating them with getpwent_r() and
> getgrent_r(), instead of using the get*nam_r() and get*id_r()
> functions as-needed. These services break outright if enumeration is
> (Yes, these services are broken. Yes, they shouldn't do that. But our
> ability to fix them is extremely limited at best, because we don't
> control them.)
Well, as the original post to this list noted, this is already broken, with no way to fix
it. When we're talking to LDAP, there's no guarantee that the server will actually
let us get all of the results. Many servers are configured with a limited number of
records we can retrieve (though we work around that with paging controls on servers that
support them). With AD, we can only enumerate the domain the host is joined to. If your
users aren't part of the same domain as the host, enumeration won't find them.
> Finally, we have many systems that cannot be joined to Active
> Directory (for policy reasons, not technical reasons). But we want to
> use the same passwd/group entries on those systems as returned by sssd
> on hosts that are joined to Active Directory. We do this by scraping
> the output of "getent -s sss passwd" and "getent -s sss group"
> manually merging it into the local passwd and group files
> (respectively) on these hosts.
Sorry to sound glib, but "fix your policy". Let's be honest, any policy
that boils down to "These machines are not allowed to function with proper security
controls" is one that can only end in disaster.
> > It's just a legacy feature, so those who need it can fall back to
> > the LDAP provider..
> But the LDAP provider doesn't support ID mapping; only the AD provider
> does. And ID mapping is the main reason we use sssd.
As noted in the other reply, the LDAP provider does support ID mapping. However,
you'll still have to face the same problems as above with regards to paging limits and
domains other than the one the host is joined to.
> I'm not asking you to make enumeration the default. It shouldn't be;
> it should be something you only turn on if you need it, and you KNOW
> you need it. But if you need it, you NEED it. Please don't take it
If you need it, you're already in bad shape. Have you heard the adage "If
someone is irreplaceable, replace them immediately"? The same is true for software.
If you have a bad system in place, it's best to rip it out as fast as possible,
because otherwise the problem will continue to grow, accruing technical debt you can never
hope to manage.
This is one of those cases: every band-aid we apply to the enumeration support causes
this to limp along on life-support and provides consumers a false sense that this is
something they can rely upon. Frankly, I think it may be time to rip off the
aforementioned band-aid and amputate this gangrenous limb.
Right. And half-broken-half-working implementation creates false
expectations. We claim that we "support IPA ID views", but then enabling
enumeration would simply break those.
As we keep adding features to AD and IPA back ends, they are no longer just
wrappers around the LDAP provider with correct defaults for the particular
I think it would be more fair towards our users to only support what we
can actually support and what can actually work.. I'm not saying
enumeration support should go away in the next release, but eventually
we should remove it and advise the setups that require enumeration to
migrate to using the LDAP provider.