The SSSD is about to get support for enumeration of trusted domains when the SSSD is operating in the server mode. The slapi-nis plugin that generates the users in the compat tree should be able to detect enumeration requests from the legacy clients and respond with output of setpwent/getpwent/endpwent.
(Arguably this ticket should be filed in slapi-nis tracker. Feel free to move it there).
Moving to next month iteration.
Discussed on today's meeting. Implementation of the feature would take considerable amount of time (a lot of issues with slapi-nis locking in FreeIPA 3.3.0), we need to re-evaluate how important this feature is or how common are enumerations on client machines working with compat tree.
enumerations
OK so here is the scenario:
If there is a non SSSD client it might just get everything and we do not have control over it. If we have client that is pre 1.9 (which is quite a substantial population) there is a high chance that enumeration would be on since we started to discourage people from using it only later.
I am afraid that without this we will open ourselves to a lot of cases.
What software does require enumeration? Most of graphical logins already use white lists to present users able to log in. Another applications are using explicit per-user/per-group queries.
In my tests for older clients I have not seen any issues with no enumeration available.
Metadata Update from @jhrozek: - Issue assigned to someone - Issue set to the milestone: Tickets Deferred
Login to comment on this ticket.