Stephen Gallagher wrote:
On 05/19/2010 08:30 AM, David O'Brien wrote:
Stephen Gallagher wrote:
On May 19, 2010, at 3:46 AM, Jakub Hrozek<jhro...@redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/19/2010 09:27 AM, David O'Brien wrote:
Now that this file is taking on the nature of a help file, I've
attempted to improve its readability, with:
1. Minor layout changes (whitespace between sections)
2. Spell check, inc. s/backend/back end (standardization)
3. General copy-edit
Pretty trivial stuff.
Nack, one of the comments still mentions EntryCacheTimeout and
EntryCacheNoWaitRefreshTimeout - these are remains of the v1 config
format, we should also change them to entry_cache_timeout and
entry_cache_nowait_timeout (the example below the comment is correct).
I'm also windering whether we should advertise enumerate=True in the
examples for remote domains?
We should certainly mention it, but surround it with comments that it
will impact performance and may impact security in the form of an
information leak.
This seems to be contrary to what's mentioned in trac ticket #330, where
it says that enumerate=true is usually (surprisingly) more efficient and
should be set as the default. No mention of any security issues there...
Have things changed? I'm not in a position to vote one way or the other.
Yeah, that's way out of date now. We finally found the bug that was
causing enumerate=false to run really really slowly (and eat 100% CPU).
Once we knocked that out, we reset the default to be enumerate=false.
As far as security issues, it's not a serious one. It's just the
difference between a user being able to do 'getent passwd' and
immediately having a list of every user that could have access to the
system vs. requiring them to know the username in advance.
I added a summary of sgallagh's work Re performance hit with
enumeration=TRUE from the man page to the top of the section on example
domain configurations.
Hopefully I've done the patch-fixing/amending properly. Feel free to
offer "Do this next" instructions while I get my head around git,
creating and submitting patches, and working in a collaborative environment.
Revision attached.
Thanks sgallagh for all the instruction so far.
/davido the sole doc writer for SSSD ;-)
--
David O'Brien
Senior Technical Writer, Engineering Content Services
Red Hat Asia Pacific Pty Ltd
193 North Quay, Brisbane
"We couldn't care less about comfort. We make you feel good."
Federico Minoli CEO Ducati Motor S.p.A.
>From 2ad07e899417f4f438ebd50ea2f90ec6e5da4690 Mon Sep 17 00:00:00 2001
From: David O'Brien <daobr...@daobrien.csb>
Date: Wed, 19 May 2010 17:17:51 +1000
Subject: [PATCH] Copy-edit and format review sssd.conf
Updated EntryCache*Timeout to the correct values.
Fixed one missed EntryCacheTimeout
Added notes about perf hit of using enumeration.
---
src/examples/sssd.conf | 45 +++++++++++++++++++++++++++------------------
1 files changed, 27 insertions(+), 18 deletions(-)
diff --git a/src/examples/sssd.conf b/src/examples/sssd.conf
index e93cf51..21664b9 100644
--- a/src/examples/sssd.conf
+++ b/src/examples/sssd.conf
@@ -1,40 +1,49 @@
[sssd]
config_file_version = 2
+
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
-# if a backend is particularly slow you can raise this timeout here
+
+# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam
-; domains = LOCAL,LDAP
-# SSSD will not start if you don't configure any domain.
-# Add new domains condifgurations as [domain/<NAME>] sections.
-# Then add the list of domains (in the order you want them to be
-# queried in the 'domains" attribute above and uncomment it
+# SSSD will not start if you do not configure any domains.
+# Add new domain configurations as [domain/<NAME>] sections, and
+# then add the list of domains (in the order you want them to be
+# queried) to the "domains" attribute below and uncomment it.
+; domains = LOCAL,LDAP
[nss]
-# the following prevents sssd for searching for the root user/group in
-# all domains (you can add here a comma separated list of system accounts are
-# always going to be /etc/passwd users, or that you want to filter out)
+# The following prevents SSSD from searching for the root user/group in
+# all domains (you can add here a comma-separated list of system accounts that
+# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
-# The EntryCacheTimeout indicates the number of seconds to retain before
-# an entry in cache is considered stale and must block to refresh.
-# The EntryCacheNoWaitRefreshTimeout indicates the number of seconds to
+# The entry_cache_timeout indicates the number of seconds to retain an
+# entry in cache before it is considered stale and must block to refresh.
+# The entry_cache_nowait_timeout indicates the number of seconds to
# wait before updating the cache out-of-band. (NSS requests will still
-# be returned from cache until the full EntryCacheTimeout). Setting this
-# value to 0 turns this feature off (default)
+# be returned from cache until the full entry_cache_timeout). Setting this
+# value to 0 turns this feature off (default).
; entry_cache_timeout = 600
; entry_cache_nowait_timeout = 300
[pam]
reconnection_retries = 3
+# Example domain configurations
+# Note that enabling enumeration in the following configurations will have a
+# moderate performance impact while enumerations are actually running, and
+# may increase the time necessary to detect network disconnection.
+# Consequently, the default value for enumeration is FALSE.
+# Refer to the sssd.conf man page for full details.
+
# Example LOCAL domain that stores all users natively in the SSSD internal
-# directory. These local users and groups are not visibile in /etc/passwd, it
+# directory. These local users and groups are not visibile in /etc/passwd; it
# now contains only root and system accounts.
; [domain/LOCAL]
; description = LOCAL Users domain
@@ -44,9 +53,9 @@ reconnection_retries = 3
; max_id = 999
# Example native LDAP domain
-# ldap_schema can be set to 'rfc2307', which uses the 'memberuid' attribute
-# for group membership, or to 'rfc2307bis', which uses the 'member' attribute
-# to denote group membership. Changes to this setting affects only how we
+# ldap_schema can be set to "rfc2307", which uses the "memberuid" attribute
+# for group membership, or to "rfc2307bis", which uses the "member" attribute
+# to denote group membership. Changes to this setting affect only how we
# determine the groups a user belongs to and will have no negative effect on
# data about the user itself. If you do not know this value, ask an
# administrator.
--
1.5.5.6
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
