On Sat, 2020-11-14 at 19:11 -0500, Nico Kadel-Garcia wrote:
On Sat, Nov 14, 2020 at 6:02 PM Markus Larsson
<qrsbrwn(a)uidzero.se>
wrote:
> Sounds like a horrible experience. It seems circumventable by not
> caching entire OUs though. They way sssd has been used where I have
> been it has only cached users actually logging in. That's a single
> setting in sssd.conf that makes all the difference.
> Not saying you're wrong though, I've just never seen the issue over
> the years.
> I have seen early sssd take down an AD domain controller do to
> aggressively asking for every user but that was many years ago :)
Which setting are you referring to? Because a couple of years ago, I
couldn't find a graceful way to prevent it.
ignore_group_members is the one. It has other implications which can
make a fuzz in certain situations though.
Generally what is problematic in my book is that most LDAP directories
has a group that contains every user of the directory which promts sssd
to pull every user.
One could also mask the offending group and in some case that solves
the issue.
I feel your pain though, I have seen quite a few LDAPs but never a tidy
one (not even my freeipa at home is as tidy as I would like it to be).