On 03/18/2015 04:08 PM, Paul B. Henson wrote:
> From: Dmitri Pal
> Sent: Wednesday, March 18, 2015 12:05 PM
> it configurable there really no practical value in decoupling
> enumeration between users and groups. You either cache both or not.
> Cashing one but not another would not solve any problem.
I said "enumeration", you are saying "caching" -- that's not the
same thing. I don't think there would be any value in caching users and not groups, or
vice versa, but I can absolutely think of a use case where *enumerating* one but not the
other is valuable.
Consider a hypothetical organization with 500,000 users and 1000 groups. They don't
want to enable enumeration for users, as that would thrash both their LDAP servers and the
clients. On the other hand, they do want to enable enumeration for groups, as they have an
application for which that is a requirement. With the current implementation, either their
application works and they risk somebody intentionally or accidentally enumerating users
and breaking things, or they are not at risk but the application does not work.
Being able to separately configure enumeration for users versus groups would allow this
organization to both prevent performance issues and enable their application.
I don't know how frequently such a use case might arise, but I believe I would call
it practical :).
I really do not want to get into this discussion.
When I say users and groups I mean also group membership. The groups by
itself do not have much value for applications unless you also have
memberships. In the given example if you download all groups but not
users you would have to download complex group membership on the fly for
every user. This is usually costly. So I think the main decision is: you
either enumerate group membership and thus you store users and groups at
the same time or you do not do it and lookup things as needed. This is
why it does not make sense to break them apart. It is possible but does
not bring any improvement even in the case you suggested above. In the
case about it is actually be worse as you will enumerate all the groups
though you might not need all of them.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.