I wonder how this is done. In our case we have the requirement to
list the users
that are enabled for a system. Currently, both “getent passwd” and
“getent group”
do not show these users without enumeration. I don’t mind doing an
iterative
approach from either side (ie. group or user), but how do I know
these users/groups
beforehand so I have a starting position?
In our environment we do that kind of listing in lot of scripts on server side using
direct ldap searches.
like in:
USER_FULL_LIST=`ldapsearch -x -LLL -h $LDAP_SERVER -b "dc=global"
"(mail=*(a)somedomain.net)" uid | grep "^uid: " | cut -d" "
-f2- | sort`
even if we have sssd configured, we prefer that approach. and we generally don't allow
such kind of searches on the client (desktop) side.
maybe if you give some more info about what you need to achieve we can give you more
accurate solutions.
anyway, I don't know how hard is to mantain this code but I don't like leting
enumeration go away and I think software should always give options, not remove them. is
the admin's job to decide if something can harm a system or not.
abosch