On 03/18/2015 04:08 PM, Paul B. Henson wrote:
From: Dmitri Pal
Sent: Wednesday, March 18, 2015 12:05 PM
it configurable there really no practical value in decoupling
enumeration between users and groups. You either cache both or not.
Cashing one but not another would not solve any problem.
I said "enumeration", you are saying "caching" -- that's not the same thing. I
don't think there would be any value in caching users and not groups, or vice versa, but I can
absolutely think of a use case where *enumerating* one but not the other is valuable.
Consider a hypothetical organization with 500,000 users and 1000 groups. They
don't want to enable enumeration for users, as that would thrash both their
LDAP servers and the clients. On the other hand, they do want to enable
enumeration for groups, as they have an application for which that is a
requirement. With the current implementation, either their application works
and they risk somebody intentionally or accidentally enumerating users and
breaking things, or they are not at risk but the application does not work.
Being able to separately configure enumeration for users versus groups would
allow this organization to both prevent performance issues and enable their
application.
I don't know how frequently such a use case might arise, but I believe I would
call it practical :).
I really do not want to get into this discussion.
When I say users and groups I mean also group membership. The groups by
itself do not have much value for applications unless you also have
memberships. In the given example if you download all groups but not
users you would have to download complex group membership on the fly for
every user. This is usually costly. So I think the main decision is: you
either enumerate group membership and thus you store users and groups at
the same time or you do not do it and lookup things as needed. This is
why it does not make sense to break them apart. It is possible but does
not bring any improvement even in the case you suggested above. In the
case about it is actually be worse as you will enumerate all the groups
though you might not need all of them.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
