Op 28 jan. 2016, om 13:38 heeft Angel Bosch
<abosch(a)ticmallorca.net> het volgende geschreven:
> I wonder how this is done. In our case we have the requirement to
> list the users
> that are enabled for a system. Currently, both “getent passwd” and
> “getent group”
> do not show these users without enumeration. I don’t mind doing an
> approach from either side (ie. group or user), but how do I know
> these users/groups
> beforehand so I have a starting position?
In our environment we do that kind of listing in lot of scripts on server side using
direct ldap searches.
USER_FULL_LIST=`ldapsearch -x -LLL -h $LDAP_SERVER -b "dc=global"
"(mail=*(a)somedomain.net)" uid | grep "^uid: " | cut -d" "
-f2- | sort`
even if we have sssd configured, we prefer that approach. and we generally don't
allow such kind of searches on the client (desktop) side.
maybe if you give some more info about what you need to achieve we can give you more
anyway, I don't know how hard is to mantain this code but I don't like leting
enumeration go away and I think software should always give options, not remove them. is
the admin's job to decide if something can harm a system or not.
Our environment is a Hadoop cluster with FreeIPA as an identity provider with a trust
against the corporate active directory.
Business roles are created and reflected in active directory and then mapped to IPA. As
mentioned in another thread
one of the Hadoop components (Ranger) syncs all users and groups (including GIDs) on a
regular basis to provide authorization.
We like the end to end security IPA provides for us (ie. across OS and Hadoop) and we
prefer to use IPA as our source of
truth, instead of a mashup of several sources, making sure the loop stays closed.
I would be able to do ldap searches on AD if IPA tells me where, but it also requires
additional authentication which I would prefer
sssd or IPA to handle.