On Wed, Feb 22, 2023 at 11:31 PM Prentice Bisbal <pbisbal(a)pppl.gov> wrote:
On 2/22/23 4:14 PM, Patrick Riehecky wrote:
> Is there a way to get results in `getent passwd` from a files domain
> with enumerate=false?
>
> relevant domain snippet:
> [
domain/FNAL.GOV]
> auth_provider=krb5
> id_provider=files
> enumerate=false
>
>
> When I change from `enumerate=false` to `enumerate=true` I get
> everything I'd expect from `getent passwd`.
>
> The load time on my enormous file is painful with enumerate=true.
>
> Pat
Are you providing a username to getent like this for user foo?
getent passwd foo
That should give you the passwd file entry for user foo when
enumerate=false (and even when it's true!)
> The load time on my enormous file is painful with enumerate=true.
That is why enumerate=false is the default for sssd enumerating through
every possible value puts a huge load on SSSD, so shouldn't be used at
sites with a large number of user accounts.
Actually 'files provider' is somewhat special:
1) it always reads the entire /etc/passwd into SSSD cache, so there
should be no difference CPU load wise.
2) IIRC, 'files provider' doesn't actually respond to enumeration
request because typically there is also 'files' in 'passwd:' database
that enumerates and glibc concatenates results
From a practical point of view, for 'auth_provider=krb5' & local users
case we now tend to recommend using 'id_provider = proxy' with lib
'files'.
'Files provider' might be deprecated / removed upstream going forward.