FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 01-03-2012, 11:00 AM
Pavel Lisy
 
Default Can I list all users defined in LDAP (on RHEL6 or Fedora) ?

Hello

in newest version of getent (on RHEL6 or Fedora)

$ getent passwd
returns only local users not users defined in LDAP.

When I run
$ getent passwd login_in_ldap
it works the same like before.

But I have many scripts where I get list of all users by this command
$ getent passwd

Can I list all users defined in LDAP?

--
Pavel Lisy <pali@tmapy.cz>
T-MAPY spol. s r.o.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 07:51 PM
Peter Larsen
 
Default Can I list all users defined in LDAP (on RHEL6 or Fedora) ?

Pavel,
Are you sure the LDAP server allows listing all users? It's quite normal
to turn that off.

On Tue, 2012-01-03 at 13:00 +0100, Pavel Lisy wrote:
> Hello
>
> in newest version of getent (on RHEL6 or Fedora)
>
> $ getent passwd
> returns only local users not users defined in LDAP.
>
> When I run
> $ getent passwd login_in_ldap
> it works the same like before.
>
> But I have many scripts where I get list of all users by this command
> $ getent passwd
>
> Can I list all users defined in LDAP?
>
> --
> Pavel Lisy <pali@tmapy.cz>
> T-MAPY spol. s r.o.
>


--
Best Regards
Peter Larsen

Wise words of the day:
Netscape is not a newsreader, and probably never shall be.
-- Tom Christiansen
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 08:10 PM
Stephen Gallagher
 
Default Can I list all users defined in LDAP (on RHEL6 or Fedora) ?

On Tue, 2012-01-03 at 15:51 -0500, Peter Larsen wrote:
> Pavel,
> Are you sure the LDAP server allows listing all users? It's quite normal
> to turn that off.

By default, SSSD doesn't allow listing all users/groups because it
presents significant load on the server. You can enable it by adding
'enumerate = True' to the [domain/default] section
of /etc/sssd/sssd.conf and then restarting SSSD (with 'service sssd
restart')

It may take several minutes before the results are viewable as SSSD
retrieves them all and caches them, depending on the size of your LDAP
server. (After the initial caching period, the lookups will be fast)


In general, you probably want to review what your scripts are doing and
see if you can't make them more efficient by using specific lookups.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-04-2012, 10:03 AM
Pavel Lisy
 
Default Can I list all users defined in LDAP (on RHEL6 or Fedora) ?

Stephen Gallagher p*še v Út 03. 01. 2012 v 16:10 -0500:
> On Tue, 2012-01-03 at 15:51 -0500, Peter Larsen wrote:
> > Pavel,
> > Are you sure the LDAP server allows listing all users? It's quite normal
> > to turn that off.
>
> By default, SSSD doesn't allow listing all users/groups because it
> presents significant load on the server. You can enable it by adding
> 'enumerate = True' to the [domain/default] section
> of /etc/sssd/sssd.conf and then restarting SSSD (with 'service sssd
> restart')
It was it thanks a lot. My LDAP DB is not big so performance is not problem.

> In general, you probably want to review what your scripts are doing and
> see if you can't make them more efficient by using specific lookups.

I use it to get list of all active users to create homedirs and ssh keys
for them (for example). It is much simpler to use shell utils than write
perl script to connect to LDAP directly.

Is it possible to set sssd to list only active users - set custom
filter? Now it lists all users (inactive include samba/computer
accounts)

I use this filter in /etc/ldap.conf now:
nss_base_passwd ou=People,dc=company,dc=org?one?|(sambaAcctFlags=[UX])

I've found only this:
access_provider = ldap
ldap_access_filter = sambaAcctFlags=[UX]

but it doesn't change list of
getent passwd

Any idea how to solve it?

Pavel


--
Pavel Lisy <pali@tmapy.cz>
T-MAPY spol. s r.o.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-04-2012, 11:31 AM
Stephen Gallagher
 
Default Can I list all users defined in LDAP (on RHEL6 or Fedora) ?

On Wed, 2012-01-04 at 12:03 +0100, Pavel Lisy wrote:
> Stephen Gallagher p*še v Út 03. 01. 2012 v 16:10 -0500:
> > On Tue, 2012-01-03 at 15:51 -0500, Peter Larsen wrote:
> > > Pavel,
> > > Are you sure the LDAP server allows listing all users? It's quite normal
> > > to turn that off.
> >
> > By default, SSSD doesn't allow listing all users/groups because it
> > presents significant load on the server. You can enable it by adding
> > 'enumerate = True' to the [domain/default] section
> > of /etc/sssd/sssd.conf and then restarting SSSD (with 'service sssd
> > restart')
> It was it thanks a lot. My LDAP DB is not big so performance is not problem.
>
> > In general, you probably want to review what your scripts are doing and
> > see if you can't make them more efficient by using specific lookups.
>
> I use it to get list of all active users to create homedirs and ssh keys
> for them (for example). It is much simpler to use shell utils than write
> perl script to connect to LDAP directly.
>
> Is it possible to set sssd to list only active users - set custom
> filter? Now it lists all users (inactive include samba/computer
> accounts)
>
> I use this filter in /etc/ldap.conf now:
> nss_base_passwd ou=People,dc=company,dc=org?one?|(sambaAcctFlags=[UX])
>
> I've found only this:
> access_provider = ldap
> ldap_access_filter = sambaAcctFlags=[UX]
>
> but it doesn't change list of
> getent passwd
>
> Any idea how to solve it?


We just added this feature in SSSD 1.7.0 (which I'm going to be putting
in updates-testing for F16 today). You'll be able to do:

ldap_user_search_base =
ou=People,dc=company,dc=org?one?(sambaAcctFlags=[UX])

ldap_group_search_base =
ou=Groups,dc=company,dc=org?one?|(sambaAcctFlags=[UX])
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-04-2012, 11:51 AM
Pavel Lisy
 
Default Can I list all users defined in LDAP (on RHEL6 or Fedora) ?

Stephen Gallagher p*še v St 04. 01. 2012 v 07:31 -0500:
> On Wed, 2012-01-04 at 12:03 +0100, Pavel Lisy wrote:
> > Stephen Gallagher p*še v Út 03. 01. 2012 v 16:10 -0500:
> > > On Tue, 2012-01-03 at 15:51 -0500, Peter Larsen wrote:
> > > > Pavel,
> > > > Are you sure the LDAP server allows listing all users? It's quite normal
> > > > to turn that off.
> > >
> > > By default, SSSD doesn't allow listing all users/groups because it
> > > presents significant load on the server. You can enable it by adding
> > > 'enumerate = True' to the [domain/default] section
> > > of /etc/sssd/sssd.conf and then restarting SSSD (with 'service sssd
> > > restart')
> > It was it thanks a lot. My LDAP DB is not big so performance is not problem.
> >
> > > In general, you probably want to review what your scripts are doing and
> > > see if you can't make them more efficient by using specific lookups.
> >
> > I use it to get list of all active users to create homedirs and ssh keys
> > for them (for example). It is much simpler to use shell utils than write
> > perl script to connect to LDAP directly.
> >
> > Is it possible to set sssd to list only active users - set custom
> > filter? Now it lists all users (inactive include samba/computer
> > accounts)
> >
> > I use this filter in /etc/ldap.conf now:
> > nss_base_passwd ou=People,dc=company,dc=org?one?|(sambaAcctFlags=[UX])
> >
> > I've found only this:
> > access_provider = ldap
> > ldap_access_filter = sambaAcctFlags=[UX]
> >
> > but it doesn't change list of
> > getent passwd
> >
> > Any idea how to solve it?
>
>
> We just added this feature in SSSD 1.7.0 (which I'm going to be putting
> in updates-testing for F16 today). You'll be able to do:
>
> ldap_user_search_base =
> ou=People,dc=company,dc=org?one?(sambaAcctFlags=[UX])
>
> ldap_group_search_base =
> ou=Groups,dc=company,dc=org?one?|(sambaAcctFlags=[UX])

Excelent!

I've just found in (fedora) documentation that it is possible
filter it by:
ldap_user_search_filter = (sambaAcctFlags=[UX]

It works in sssd-1.6.3 (my F16).

But I've tried it (and need it too) in RHEL6/CentOS6 and there is older
version sssd-1.5.1-66 which doesn't support this feature yet.

Do you think you/they will increase version of sssd in next RHEL update
(6.3)?
I suppose not. So I'll need to disable sssd and use nss-pam-ldapd
instead.


Pavel


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-04-2012, 11:54 AM
Stephen Gallagher
 
Default Can I list all users defined in LDAP (on RHEL6 or Fedora) ?

On Wed, 2012-01-04 at 13:51 +0100, Pavel Lisy wrote:
> Stephen Gallagher p*še v St 04. 01. 2012 v 07:31 -0500:
> > On Wed, 2012-01-04 at 12:03 +0100, Pavel Lisy wrote:
> > > Stephen Gallagher p*še v Út 03. 01. 2012 v 16:10 -0500:
> > > > On Tue, 2012-01-03 at 15:51 -0500, Peter Larsen wrote:
> > > > > Pavel,
> > > > > Are you sure the LDAP server allows listing all users? It's quite normal
> > > > > to turn that off.
> > > >
> > > > By default, SSSD doesn't allow listing all users/groups because it
> > > > presents significant load on the server. You can enable it by adding
> > > > 'enumerate = True' to the [domain/default] section
> > > > of /etc/sssd/sssd.conf and then restarting SSSD (with 'service sssd
> > > > restart')
> > > It was it thanks a lot. My LDAP DB is not big so performance is not problem.
> > >
> > > > In general, you probably want to review what your scripts are doing and
> > > > see if you can't make them more efficient by using specific lookups.
> > >
> > > I use it to get list of all active users to create homedirs and ssh keys
> > > for them (for example). It is much simpler to use shell utils than write
> > > perl script to connect to LDAP directly.
> > >
> > > Is it possible to set sssd to list only active users - set custom
> > > filter? Now it lists all users (inactive include samba/computer
> > > accounts)
> > >
> > > I use this filter in /etc/ldap.conf now:
> > > nss_base_passwd ou=People,dc=company,dc=org?one?|(sambaAcctFlags=[UX])
> > >
> > > I've found only this:
> > > access_provider = ldap
> > > ldap_access_filter = sambaAcctFlags=[UX]
> > >
> > > but it doesn't change list of
> > > getent passwd
> > >
> > > Any idea how to solve it?
> >
> >
> > We just added this feature in SSSD 1.7.0 (which I'm going to be putting
> > in updates-testing for F16 today). You'll be able to do:
> >
> > ldap_user_search_base =
> > ou=People,dc=company,dc=org?one?(sambaAcctFlags=[UX])
> >
> > ldap_group_search_base =
> > ou=Groups,dc=company,dc=org?one?|(sambaAcctFlags=[UX])
>
> Excelent!
>
> I've just found in (fedora) documentation that it is possible
> filter it by:
> ldap_user_search_filter = (sambaAcctFlags=[UX]
>
> It works in sssd-1.6.3 (my F16).
>
> But I've tried it (and need it too) in RHEL6/CentOS6 and there is older
> version sssd-1.5.1-66 which doesn't support this feature yet.
>
> Do you think you/they will increase version of sssd in next RHEL update
> (6.3)?
> I suppose not. So I'll need to disable sssd and use nss-pam-ldapd
> instead.


The plan for RHEL 6.3 is to rebase SSSD to 1.8.0
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 09:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org