#3661 autofs/LDAP should have the option not to enumerate maps (enhancement)

Created 2 months ago by nxg
Modified 2 months ago

At present, autofs/LDAP enumerates an entire automount map when it starts up. This creates problems when those maps are large enough to hit an LDAP server query limit.

A workaround is to have the SSS daemon use a particular DN to bind, which has an increased query limit, but since the system otherwise appears to work using anonymous binds, this workaround adds administrative overhead, and so is unattractive.

The documentation for the enumerate option in sssd.conf(5) notes that ‘For the reasons cited above, enabling enumeration is not recommended, especially in large environments’, but this appears to apply only to the context of user entries in the LDAP server, and appears not to have any effect on autofs map queries (or I'm missing some documentation). At any rate, I do have enumerate=false in my sssd.conf, and I'm still seeing the whole-map enumeration.

For example, in our case, we have users’ homes automounted to /home/<username>, so that the auto.home map is the same size as the uid map (it might be that this is seen as an eccentric layout, but it was the autofs/NIS layout recommended by Sun in the 90s, when our local layout was first designed, so it might be reasonably widespread).

