On 05/19/2010 08:30 AM, David O'Brien wrote: > Stephen Gallagher wrote: >> On May 19, 2010, at 3:46 AM, Jakub Hrozek<jhro...@redhat.com> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 05/19/2010 09:27 AM, David O'Brien wrote: >>>> Now that this file is taking on the nature of a help file, I've >>>> attempted to improve its readability, with: >>>> >>>> 1. Minor layout changes (whitespace between sections) >>>> 2. Spell check, inc. s/backend/back end (standardization) >>>> 3. General copy-edit >>>> >>>> Pretty trivial stuff. >>>> >>> Nack, one of the comments still mentions EntryCacheTimeout and >>> EntryCacheNoWaitRefreshTimeout - these are remains of the v1 config >>> format, we should also change them to entry_cache_timeout and >>> entry_cache_nowait_timeout (the example below the comment is correct). >>> >>> I'm also windering whether we should advertise enumerate=True in the >>> examples for remote domains? >>> >> >> We should certainly mention it, but surround it with comments that it >> will impact performance and may impact security in the form of an >> information leak. >> > This seems to be contrary to what's mentioned in trac ticket #330, where > it says that enumerate=true is usually (surprisingly) more efficient and > should be set as the default. No mention of any security issues there... > > Have things changed? I'm not in a position to vote one way or the other. >
Yeah, that's way out of date now. We finally found the bug that was causing enumerate=false to run really really slowly (and eat 100% CPU). Once we knocked that out, we reset the default to be enumerate=false. As far as security issues, it's not a serious one. It's just the difference between a user being able to do 'getent passwd' and immediately having a list of every user that could have access to the system vs. requiring them to know the username in advance. -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel