My specific requirement for having "enumerate=TRUE" was , we have a build server with the jenkins set up. And for authentication jenkins tries to get the localusers on the system.
I should be able to get through that by configuring Jenkins to use LDAP instead of the local users. But are there any other reasons for recommending against "enumerate=TRUE", i recall reading somewhere as well not to use this specific setting. Thanks, Rakesh On Fri, Jul 22, 2016 at 2:11 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Jul 22, 2016 at 10:28:30AM +0200, Lukas Slebodnik wrote: > > On (22/07/16 13:25), Rakesh Rajasekharan wrote: > > >Hi, > > > > > >I am running freeipa version 4.2.0 and sssd version 1.13.0 > > > > > >I have set "enumerate=True" to show IPA users as well in getent passwd. > > > > > >However, the getent passwd continues to show users that have got > deleted as > > >well. > > > > > >Heres my sssd config file > > >[domain/xyz.com] > > >enumerate = TRUE > > >krb5_auth_timeout = 30 > > > > > >cache_credentials = True > > >krb5_store_password_if_offline = True > > >ipa_domain = xyz.com > > >id_provider = ipa > > >auth_provider = ipa > > >access_provider = ipa > > >ldap_tls_cacert = /etc/ipa/ca.crt > > >ipa_hostname = 10.16.11.134 > > >chpass_provider = ipa > > >ipa_server = _srv_, ipa-master-int.xyz.com > > >dns_discovery_domain = xyz.com > > >[sssd] > > >services = nss, sudo, pam, ssh > > >config_file_version = 2 > > > > > >domains = xyz.com > > >[nss] > > >homedir_substring = /home > > > > > >[pam] > > > > > >[sudo] > > > > > >[autofs] > > > > > >[ssh] > > > > > >[pac] > > > > > >[ifp] > > > > > >Is this an expected behaviour or am i missing something in my config > > > > > When user is removed from IPA then it is not automatically removed from > sssd. > > SSSD has few levels of caches which are indirectly used by "getent > passwd". > > The user or group will be removed after next look-up in IPA which > > is usually after extpiration of entry in sssd cache. > > Deleted users are only detected when they are looked up directly or when > a cleanup task is ran, because in order to avoid fetching the whole > directory all the time, enumeration tries to only download entries with > higher lastUSN than seen last time. So as Lukas said, it can be expected > that entries show up. > > I think the most important lesson here should be don't use > enumerate=true" :-) > > > > > Another way how to force removing entries from sssd cache is > > to authenticate with user. SSSD fetch latest data from LDAP/IPA > > with each authentication for security reasons. > > > > You can also invalidate user in sssd cache "sss_cache -u someuser" > > and SSSD will detect removed user in IPA after attempt to refresh data > > in sssd cache. > > > > LS > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project