Jakub Hrozek wrote: > On Mon, Sep 21, 2015 at 07:02:05PM +0200, Michael Ströder wrote: >> HI! >> >> Is it possible to let sssd always fetch all user entries by using the >> dereference control on all visible groups? >> >> ldap_deref_threshold = 1 ? > > Yes, this should do the trick with rfc2307bis or derivatives (IPA, AD, > ..)
Hmm, I still see searches with filter (&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*)) sent by sssd (currently testing with 1.13.0, see config below). I had hoped to switch off user searches completely at least after initializing the cache. Do I have to tweak caching/enumeration parameters? Ciao, Michael. --------------------------------- snip --------------------------------- [sssd] config_file_version = 2 services = nss, pam, ssh, sudo # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. domains = AE-DIR [local] create_homedir = true [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] [domain/AE-DIR] id_provider = ldap auth_provider = ldap debug_level = 7 # Note that enabling enumeration will have a moderate performance impact. # Consequently, the default value for enumeration is FALSE. # Refer to the sssd.conf man page for full details. enumerate = true ldap_tls_cacert = /etc/ssl/certs/stroeder.com-server-ca-2009-07.crt ldap_tls_cert = /etc/sssd/ae-client1.example.org.crt ldap_tls_key = /etc/sssd/ae-client1.example.org.key ldap_auth_use_start_tls = True ldap_id_use_start_tls = True ldap_uri = ldap://ldap.example.com:2342 ldap_sasl_mech = EXTERNAL ldap_search_base = ou=ae-dir ldap_schema = rfc2307bis ldap_user_object_class = posixAccount ldap_group_object_class = posixGroup # avoid protocol incompatibilities with newer sssd versions by disabling deref: ldap_deref_threshold = 1 ldap_user_home_directory = homeDirectory ldap_user_shell = loginShell ldap_user_ssh_public_key = sshPublicKey # Allow offline logins by locally storing password hashes (default: false). cache_credentials = true ldap_purge_cache_timeout = 3
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
