On Sat, 2020-11-14 at 19:11 -0500, Nico Kadel-Garcia wrote: > On Sat, Nov 14, 2020 at 6:02 PM Markus Larsson <qrsbrwn@xxxxxxxxxx> > wrote: > > > Sounds like a horrible experience. It seems circumventable by not > > caching entire OUs though. They way sssd has been used where I have > > been it has only cached users actually logging in. That's a single > > setting in sssd.conf that makes all the difference. > > Not saying you're wrong though, I've just never seen the issue over > > the years. > > I have seen early sssd take down an AD domain controller do to > > aggressively asking for every user but that was many years ago :) > > Which setting are you referring to? Because a couple of years ago, I > couldn't find a graceful way to prevent it. ignore_group_members is the one. It has other implications which can make a fuzz in certain situations though. Generally what is problematic in my book is that most LDAP directories has a group that contains every user of the directory which promts sssd to pull every user. One could also mask the offending group and in some case that solves the issue. I feel your pain though, I have seen quite a few LDAPs but never a tidy one (not even my freeipa at home is as tidy as I would like it to be). _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
