Hello again,
I was wondering about "recommending" settings about sssd. We have an AD
with around 1500 users.
Before sssd was introduced we used nss/ldap to query user-data from AD.
However i figured it would be nice to get sssd working and started to
configure that instead, got it working mostly as i want (posted some
issuers earlier on the mailing-list).
Question though,
With earlier setup it was possible to do, 'getent passwd' and get a list
of all users, right. With the new setup, i only get the users in the
passwd file when doing 'getent passwd', however if i do 'getent passwd
username', i get the info i want. Then i tried with the setting,
enumerate=true for current domain, and that seemed to fix the getent
problem as it would return all the users, however that really of slow,
having sssd running in debug-mode it produces thousands of lines with,
(Fri Aug 6 11:00:34 2010) [sssd[be[SMHI]]] [ldb] (9): tevent: Added
timed event "ltdb_timeout": 0x4257310
(Fri Aug 6 11:00:34 2010) [sssd[be[SMHI]]] [ldb] (9): tevent:
Destroying timer event 0x2ac70f0 "ltdb_timeout"
(Fri Aug 6 11:00:34 2010) [sssd[be[SMHI]]] [ldb] (9): tevent: Ending
timer event 0x425c200 "ltdb_callback"
Then it finishes kind of, then after a couple of minutes its doing the
same thing again.
So basically, what I'm wondering is, cant i have getent passwd returning
all my users without having enumerate = true in the config ?
Here's my config,
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = foo
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/foo]
description = LDAP domain with AD server
enumerate = true/false
min_id = 0
id_provider = ldap
auth_provider = krb5
krb5_kdcip = 123
krb5_realm = foo
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
krb5_keytab = /etc/krb5.keytab
krb5_validate = true
ldap_sasl_mech = gssapi
ldap_krb5_keytab = /etc/krb5.keytab
ldap_uri = ldap://foo
ldap_schema = rfc2307bis
ldap_search_base = DC=xx,DC=xxxx,DC=xx
ldap_user_search_scope = sub
ldap_user_search_base = ou=People,dc=xx,dc=xxxx,dc=xx
ldap_group_search_base = ou=Groups,dc=xx,dc=smhi,dc=xx
ldap_user_object_class = person
ldap_user_name = cn
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = msSFUHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_user_gecos = mail
ldap_group_object_class = Group
ldap_group_name = cn
ldap_group_gid_number = msSFU30GidNumber
ldap_force_upper_case_realm = True
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/cacerts/CADOUBLE.cer
ldap_tls_cacertdir = /etc/openldap/cacerts
Best regards,
Patrik Martinsson, Sweden.