My specific requirement for having "enumerate=TRUE" was , we have a build
server with the jenkins set up.
And for authentication jenkins tries to get the localusers on the system.

I should be able to get through that by configuring Jenkins to use LDAP
instead of the local users.

But  are there any other reasons for recommending against "enumerate=TRUE",
i recall reading somewhere as well not to use this specific setting.



Thanks,
Rakesh



On Fri, Jul 22, 2016 at 2:11 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Fri, Jul 22, 2016 at 10:28:30AM +0200, Lukas Slebodnik wrote:
> > On (22/07/16 13:25), Rakesh Rajasekharan wrote:
> > >Hi,
> > >
> > >I am running freeipa version 4.2.0 and sssd version 1.13.0
> > >
> > >I have set "enumerate=True" to show IPA users as well in getent passwd.
> > >
> > >However, the getent passwd continues to show users that have got
> deleted as
> > >well.
> > >
> > >Heres my sssd config file
> > >[domain/xyz.com]
> > >enumerate = TRUE
> > >krb5_auth_timeout = 30
> > >
> > >cache_credentials = True
> > >krb5_store_password_if_offline = True
> > >ipa_domain = xyz.com
> > >id_provider = ipa
> > >auth_provider = ipa
> > >access_provider = ipa
> > >ldap_tls_cacert = /etc/ipa/ca.crt
> > >ipa_hostname = 10.16.11.134
> > >chpass_provider = ipa
> > >ipa_server = _srv_, ipa-master-int.xyz.com
> > >dns_discovery_domain = xyz.com
> > >[sssd]
> > >services = nss, sudo, pam, ssh
> > >config_file_version = 2
> > >
> > >domains = xyz.com
> > >[nss]
> > >homedir_substring = /home
> > >
> > >[pam]
> > >
> > >[sudo]
> > >
> > >[autofs]
> > >
> > >[ssh]
> > >
> > >[pac]
> > >
> > >[ifp]
> > >
> > >Is this an expected behaviour or am i missing something in my config
> > >
> > When user is removed from IPA then it is not automatically removed from
> sssd.
> > SSSD has few levels of caches which are indirectly used by "getent
> passwd".
> > The user or group will be removed after next look-up in IPA which
> > is usually after extpiration of entry in sssd cache.
>
> Deleted users are only detected when they are looked up directly or when
> a cleanup task is ran, because in order to avoid fetching the whole
> directory all the time, enumeration tries to only download entries with
> higher lastUSN than seen last time. So as Lukas said, it can be expected
> that entries show up.
>
> I think the most important lesson here should be don't use
> enumerate=true" :-)
>
> >
> > Another way how to force removing entries from sssd cache is
> > to authenticate with user. SSSD fetch latest data from LDAP/IPA
> > with each authentication for security reasons.
> >
> > You can also invalidate user in sssd cache "sss_cache -u someuser"
> > and SSSD will detect removed user in IPA after attempt to refresh data
> > in sssd cache.
> >
> > LS
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to