From: Dmitri Pal
Sent: Wednesday, March 18, 2015 12:05 PM
it configurable there really no practical value in decoupling
enumeration between users and groups. You either cache both or not.
Cashing one but not another would not solve any problem.
I said "enumeration", you are saying "caching" -- that's not the
same thing. I don't think there would be any value in caching users and not groups, or
vice versa, but I can absolutely think of a use case where *enumerating* one but not the
other is valuable.
Consider a hypothetical organization with 500,000 users and 1000 groups. They don't
want to enable enumeration for users, as that would thrash both their LDAP servers and the
clients. On the other hand, they do want to enable enumeration for groups, as they have an
application for which that is a requirement. With the current implementation, either their
application works and they risk somebody intentionally or accidentally enumerating users
and breaking things, or they are not at risk but the application does not work.
Being able to separately configure enumeration for users versus groups would allow this
organization to both prevent performance issues and enable their application.
I don't know how frequently such a use case might arise, but I believe I would call it
practical :).