Following up on an issue from a while ago… On Thu, May 14, 2015 at 9:32 PM, Stephen Gallagher <sgall...@redhat.com> wrote:
> [T]he SSSD developers are spending a moderate amount of time dealing > with bugs in it [enumeration], first of all. Secondly, the > limitations aren't really clearly spelled out. We probably need to > expand the manpages to describe how poorly this feature works. > Right now, it only describes the negative performance impact, but > not the fact that it simply doesn't work in some environments. > > And the harm to leaving it enabled is that failures in the > enumeration code are generally *silent* and therefore hard to debug. > When an enumeration only completes partially, there's no way to > know. If you have a system that is basing access control on a user > being in (or not in) a particular group read through enumeration, > then this may result in a security issue. (Example: you explicitly > disallow members of the "untrusted" group from accessing sensitive > machines. However, user jappleseed should be in this group, but > enumeration didn't pick him up because of a peculiarity of > cross-realm interaction. Now jappleseed has access to a sensitive > machine. Ouch.) After spending many months running with enumeration enabled, we reached the conclusion that the cost of enumeration wasn't worth it, and disabled it. We didn't encounter any of the corner cases where enumeration doesn't work, silently fails, returns incomplete group information, et. al. But what we *did* notice is that sssd pounded the host when enumeration was enabled, even if the host was otherwise idle. (We had a non-trivial number of mostly-idle hosts where sssd had the most CPU consumption of any service running on the system.) While it is currently somewhat of a pain to perform iterative enumeration (due to cache performance issues), for the handful of hosts where we need to be enumerate all AD users and groups, it's still a better alternative than enabling enumeration in sssd and having it pound the hosts. In conclusion, we no longer care if the enumeration feature is removed from sssd, because we are no longer using it. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
