Ryan Novosielski wrote:
> My recollection is that finger used a terribly inefficient way of getting
> information, at least one time, and asked for information on every user
> despite the fact that it was only going to need one. I recall installing
> something called finger-ldap, because in the pre-SSSD days, finger could
> cause a lot of trouble on large LDAP directories because it would ask for the
> entire contents of the directory. I wouldn't be surprised if this was
> related. You might want to look into the same solution.

Or one could simply drop support for finger and query the user's entry from the
LDAP server directly. Doing this over TLS would also protect against some of the
attacks possible with finger.

Ciao, Michael.
sssd-users mailing list

Reply via email to