Can I list all users defined in LDAP (on RHEL6 or Fedora) ?
Hello
in newest version of getent (on RHEL6 or Fedora) $ getent passwd returns only local users not users defined in LDAP. When I run $ getent passwd login_in_ldap it works the same like before. But I have many scripts where I get list of all users by this command $ getent passwd Can I list all users defined in LDAP? -- Pavel Lisy <pali@tmapy.cz> T-MAPY spol. s r.o. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Can I list all users defined in LDAP (on RHEL6 or Fedora) ?
Pavel,
Are you sure the LDAP server allows listing all users? It's quite normal to turn that off. On Tue, 2012-01-03 at 13:00 +0100, Pavel Lisy wrote: > Hello > > in newest version of getent (on RHEL6 or Fedora) > > $ getent passwd > returns only local users not users defined in LDAP. > > When I run > $ getent passwd login_in_ldap > it works the same like before. > > But I have many scripts where I get list of all users by this command > $ getent passwd > > Can I list all users defined in LDAP? > > -- > Pavel Lisy <pali@tmapy.cz> > T-MAPY spol. s r.o. > -- Best Regards Peter Larsen Wise words of the day: Netscape is not a newsreader, and probably never shall be. -- Tom Christiansen -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Can I list all users defined in LDAP (on RHEL6 or Fedora) ?
On Tue, 2012-01-03 at 15:51 -0500, Peter Larsen wrote:
> Pavel, > Are you sure the LDAP server allows listing all users? It's quite normal > to turn that off. By default, SSSD doesn't allow listing all users/groups because it presents significant load on the server. You can enable it by adding 'enumerate = True' to the [domain/default] section of /etc/sssd/sssd.conf and then restarting SSSD (with 'service sssd restart') It may take several minutes before the results are viewable as SSSD retrieves them all and caches them, depending on the size of your LDAP server. (After the initial caching period, the lookups will be fast) In general, you probably want to review what your scripts are doing and see if you can't make them more efficient by using specific lookups. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Can I list all users defined in LDAP (on RHEL6 or Fedora) ?
Stephen Gallagher pÃ*Å¡e v Út 03. 01. 2012 v 16:10 -0500:
> On Tue, 2012-01-03 at 15:51 -0500, Peter Larsen wrote: > > Pavel, > > Are you sure the LDAP server allows listing all users? It's quite normal > > to turn that off. > > By default, SSSD doesn't allow listing all users/groups because it > presents significant load on the server. You can enable it by adding > 'enumerate = True' to the [domain/default] section > of /etc/sssd/sssd.conf and then restarting SSSD (with 'service sssd > restart') It was it thanks a lot. My LDAP DB is not big so performance is not problem. > In general, you probably want to review what your scripts are doing and > see if you can't make them more efficient by using specific lookups. I use it to get list of all active users to create homedirs and ssh keys for them (for example). It is much simpler to use shell utils than write perl script to connect to LDAP directly. Is it possible to set sssd to list only active users - set custom filter? Now it lists all users (inactive include samba/computer accounts) I use this filter in /etc/ldap.conf now: nss_base_passwd ou=People,dc=company,dc=org?one?|(sambaAcctFlags=[UX]) I've found only this: access_provider = ldap ldap_access_filter = sambaAcctFlags=[UX] but it doesn't change list of getent passwd Any idea how to solve it? Pavel -- Pavel Lisy <pali@tmapy.cz> T-MAPY spol. s r.o. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Can I list all users defined in LDAP (on RHEL6 or Fedora) ?
On Wed, 2012-01-04 at 12:03 +0100, Pavel Lisy wrote:
> Stephen Gallagher pÃ*Å¡e v Út 03. 01. 2012 v 16:10 -0500: > > On Tue, 2012-01-03 at 15:51 -0500, Peter Larsen wrote: > > > Pavel, > > > Are you sure the LDAP server allows listing all users? It's quite normal > > > to turn that off. > > > > By default, SSSD doesn't allow listing all users/groups because it > > presents significant load on the server. You can enable it by adding > > 'enumerate = True' to the [domain/default] section > > of /etc/sssd/sssd.conf and then restarting SSSD (with 'service sssd > > restart') > It was it thanks a lot. My LDAP DB is not big so performance is not problem. > > > In general, you probably want to review what your scripts are doing and > > see if you can't make them more efficient by using specific lookups. > > I use it to get list of all active users to create homedirs and ssh keys > for them (for example). It is much simpler to use shell utils than write > perl script to connect to LDAP directly. > > Is it possible to set sssd to list only active users - set custom > filter? Now it lists all users (inactive include samba/computer > accounts) > > I use this filter in /etc/ldap.conf now: > nss_base_passwd ou=People,dc=company,dc=org?one?|(sambaAcctFlags=[UX]) > > I've found only this: > access_provider = ldap > ldap_access_filter = sambaAcctFlags=[UX] > > but it doesn't change list of > getent passwd > > Any idea how to solve it? We just added this feature in SSSD 1.7.0 (which I'm going to be putting in updates-testing for F16 today). You'll be able to do: ldap_user_search_base = ou=People,dc=company,dc=org?one?(sambaAcctFlags=[UX]) ldap_group_search_base = ou=Groups,dc=company,dc=org?one?|(sambaAcctFlags=[UX]) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Can I list all users defined in LDAP (on RHEL6 or Fedora) ?
Stephen Gallagher pÃ*Å¡e v St 04. 01. 2012 v 07:31 -0500:
> On Wed, 2012-01-04 at 12:03 +0100, Pavel Lisy wrote: > > Stephen Gallagher pÃ*Å¡e v Út 03. 01. 2012 v 16:10 -0500: > > > On Tue, 2012-01-03 at 15:51 -0500, Peter Larsen wrote: > > > > Pavel, > > > > Are you sure the LDAP server allows listing all users? It's quite normal > > > > to turn that off. > > > > > > By default, SSSD doesn't allow listing all users/groups because it > > > presents significant load on the server. You can enable it by adding > > > 'enumerate = True' to the [domain/default] section > > > of /etc/sssd/sssd.conf and then restarting SSSD (with 'service sssd > > > restart') > > It was it thanks a lot. My LDAP DB is not big so performance is not problem. > > > > > In general, you probably want to review what your scripts are doing and > > > see if you can't make them more efficient by using specific lookups. > > > > I use it to get list of all active users to create homedirs and ssh keys > > for them (for example). It is much simpler to use shell utils than write > > perl script to connect to LDAP directly. > > > > Is it possible to set sssd to list only active users - set custom > > filter? Now it lists all users (inactive include samba/computer > > accounts) > > > > I use this filter in /etc/ldap.conf now: > > nss_base_passwd ou=People,dc=company,dc=org?one?|(sambaAcctFlags=[UX]) > > > > I've found only this: > > access_provider = ldap > > ldap_access_filter = sambaAcctFlags=[UX] > > > > but it doesn't change list of > > getent passwd > > > > Any idea how to solve it? > > > We just added this feature in SSSD 1.7.0 (which I'm going to be putting > in updates-testing for F16 today). You'll be able to do: > > ldap_user_search_base = > ou=People,dc=company,dc=org?one?(sambaAcctFlags=[UX]) > > ldap_group_search_base = > ou=Groups,dc=company,dc=org?one?|(sambaAcctFlags=[UX]) Excelent! I've just found in (fedora) documentation that it is possible filter it by: ldap_user_search_filter = (sambaAcctFlags=[UX] It works in sssd-1.6.3 (my F16). But I've tried it (and need it too) in RHEL6/CentOS6 and there is older version sssd-1.5.1-66 which doesn't support this feature yet. Do you think you/they will increase version of sssd in next RHEL update (6.3)? I suppose not. So I'll need to disable sssd and use nss-pam-ldapd instead. Pavel -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
Can I list all users defined in LDAP (on RHEL6 or Fedora) ?
On Wed, 2012-01-04 at 13:51 +0100, Pavel Lisy wrote:
> Stephen Gallagher pÃ*Å¡e v St 04. 01. 2012 v 07:31 -0500: > > On Wed, 2012-01-04 at 12:03 +0100, Pavel Lisy wrote: > > > Stephen Gallagher pÃ*Å¡e v Út 03. 01. 2012 v 16:10 -0500: > > > > On Tue, 2012-01-03 at 15:51 -0500, Peter Larsen wrote: > > > > > Pavel, > > > > > Are you sure the LDAP server allows listing all users? It's quite normal > > > > > to turn that off. > > > > > > > > By default, SSSD doesn't allow listing all users/groups because it > > > > presents significant load on the server. You can enable it by adding > > > > 'enumerate = True' to the [domain/default] section > > > > of /etc/sssd/sssd.conf and then restarting SSSD (with 'service sssd > > > > restart') > > > It was it thanks a lot. My LDAP DB is not big so performance is not problem. > > > > > > > In general, you probably want to review what your scripts are doing and > > > > see if you can't make them more efficient by using specific lookups. > > > > > > I use it to get list of all active users to create homedirs and ssh keys > > > for them (for example). It is much simpler to use shell utils than write > > > perl script to connect to LDAP directly. > > > > > > Is it possible to set sssd to list only active users - set custom > > > filter? Now it lists all users (inactive include samba/computer > > > accounts) > > > > > > I use this filter in /etc/ldap.conf now: > > > nss_base_passwd ou=People,dc=company,dc=org?one?|(sambaAcctFlags=[UX]) > > > > > > I've found only this: > > > access_provider = ldap > > > ldap_access_filter = sambaAcctFlags=[UX] > > > > > > but it doesn't change list of > > > getent passwd > > > > > > Any idea how to solve it? > > > > > > We just added this feature in SSSD 1.7.0 (which I'm going to be putting > > in updates-testing for F16 today). You'll be able to do: > > > > ldap_user_search_base = > > ou=People,dc=company,dc=org?one?(sambaAcctFlags=[UX]) > > > > ldap_group_search_base = > > ou=Groups,dc=company,dc=org?one?|(sambaAcctFlags=[UX]) > > Excelent! > > I've just found in (fedora) documentation that it is possible > filter it by: > ldap_user_search_filter = (sambaAcctFlags=[UX] > > It works in sssd-1.6.3 (my F16). > > But I've tried it (and need it too) in RHEL6/CentOS6 and there is older > version sssd-1.5.1-66 which doesn't support this feature yet. > > Do you think you/they will increase version of sssd in next RHEL update > (6.3)? > I suppose not. So I'll need to disable sssd and use nss-pam-ldapd > instead. The plan for RHEL 6.3 is to rebase SSSD to 1.8.0 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
| All times are GMT. The time now is 10:30 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.