Re: [ldapext] DBIS commentary

Simo Sorce <> Wed, 02 December 2015 01:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2A13D1B3037 for <>; Tue, 1 Dec 2015 17:21:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6ZBaWrbJmVES for <>; Tue, 1 Dec 2015 17:21:51 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DC0881B3034 for <>; Tue, 1 Dec 2015 17:21:50 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPS id A0A0A8E22B; Wed, 2 Dec 2015 01:21:50 +0000 (UTC)
Received: from ([]) by (8.14.4/8.14.4) with ESMTP id tB21LmEX005831 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 1 Dec 2015 20:21:49 -0500
Message-ID: <>
From: Simo Sorce <>
To: Jordan Brown <>
Date: Tue, 01 Dec 2015 20:21:48 -0500
In-Reply-To: <>
References: <> <> <> <> <>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on
Archived-At: <>
Cc: "''" <>
Subject: Re: [ldapext] DBIS commentary
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Dec 2015 01:21:53 -0000

On Tue, 2015-12-01 at 09:52 -0800, Jordan Brown wrote:
> > I have people telling me groupOfNames doesn't work well for them
> > because it can be a group of anything.
> > Extra LDAP searches are required to figure out what type of object 
> > the members are.  That leads to a rather inefficient system.
> >
> There are two problems there:
> 1)  A group could contain anything, even when you want it to only
> contain one type.  Administrator error could lead to incorrect
> configurations.  In programming-ese, it's not type-safe.  One might
> hope that you could set up metadata limiting the types of objects that
> could be added to a group, like you can set up limits on the types of
> objects that can be put in a container, but I don't know if you can.
> One hopes that your administration UIs will help here - if you're
> defining a group of users, the administration UI presumably knows that
> and only lets you add users.  At the same time, this flexibility
> enables nested groups, which can be very useful.

This is very true and there are products that can cope, there are also
mechanism to more efficiently (at least latency wise) if you use
controls like:

Both OpenLDAP and 389ds (for FreeIPA) implement this control and we use
it in various clients.

> 2)  You have to do "extra" searches to get any real information on the
> member.

The control above helps quite a bit in cases where you really need to

>  Yes, that's a very big problem.  The particular pain point is that
> getgrnam and getgrgid are defined to return a list of the members of
> the group, necessitating a search for *each* member. That gets pretty
> painful when a group has thousands of members.

It is fully broken indeed, based on age old databases that were very
small and always local to the system.

>  I think the truly right answer there is to add new APIs that don't
> retrieve the members, and even to redefine the existing APIs to not
> retrieve the members, because there are almost no cases where it
> actually makes sense to retrieve the list of members of a UNIX group. 

It would be nice to have a new API, although Posix has some wiggle room
which we fully exploit in clients like Windbind and SSSD.

Both clients simply do not return all members in the enumeration cases
(getgrent) but only in the explicit group retrieve case (getgrnam).
This is because Posix allows to omit results in the enumeration case
according to some interpretations. 

>  The standards provide some help in that there are hints in the UNIX
> standard that the list of members returned may not be complete. 

Indeed, some admins complain about this so switches are provided in the
above mentioned clients to behave "the classic way". And surprisingly
very few systems really have a big issue with this. Given that any
application that depends on full group enumeration is already fully
broken and a  performance liability on any enterprise system that has
accounts in the thousands.

>  Also:  Caching is your friend. Note also that the PADL version of
> nss_ldap has a "nss_getgrent_skipmembers" option that disables
> returning the list of members.

Any client that doesn't do caching today is really a bad idea.

> As long as we're talking about flaws in groupOfNames:  there's also
> the problem that "member" is a MUST attribute, and that makes empty
> groups problematic.

This was, in fact, such a big problem that in the FreeIPA product we
decided to break with the standard and changed member to be MAY, never
looked back on this choice.

> Active Directory uses the same basic structure, but uses the "group"
> class instead of groupOfNames, and for "group" the "member" attribute
> is a MAY.  RFC2307bis-02 replaces groupOfNames with groupOfMembers,
> again with "member" as a MAY.
> (One might have hoped that you could have an attribute with a empty
> list of values, but X.501 does not allow that.)
> > See previous reservations regarding groupOfNames.  Imagine trying to
> construct a 
> > search
> > operation to find just host members, or just user members.
> Do note that the queries that you normally need are "is this host (or
> user) a member of this group" and "what groups is this user a member
> of".  It's hard to find cases where you really want to ask "what are
> the members of this group".  The "is this X a member" and "what groups
> is this X a member of" queries aren't bad at all with groupOfNames -
> you have to do a lookup on X to get its DN, but then you 
> just do a natural (and efficient) search.

Yes this is generally the case for "system level" clients, but indeed
many poor administrative clients tend to do the former kind of query,
because they think it is a good idea to show all the members, they tend
to have some problems when the members reach the multiple tens of
thousands :-)


P.S. I switched to use my "corporate" email address so there is no
confusion on what hat I may be wearing.

Simo Sorce * Red Hat, Inc * New York