Looking up DICE user/group information
Users of DICE machines may have noticed that system utilities such as
getent and finger are no longer returning a full list of Informatics users.
We use sssd (System Security Service Daemon) on DICE to cache LDAP
data, such as user and group information. For finger to work with
anything other than usernames, it requires the sssd “enumerate”
option. This enumerates, and caches, the entire LDAP user and group
directory locally. The man page (sssd.conf(5)) recommends against
doing this, “especially in large environments” (although it doesn’t
specify what “large” is). This has always worked for us, and so we
have enabled this option previously.
The version of sssd on Scientific Linux 7.3 has unfortunately proved
unreliable with enumerate enabled, to the extent of rendering a
machine unusable. Subsequent releases and proposed bug-fixes have not
effectively resolved the problem and so we have had to disable
enumerate across DICE machines.
We have produced some local utilities to help replace the lost
functionality caused by the system changes described above.
finger-dice is a wrapper utility around the system finger command and
can be used to find out details about users given only part of their
name (e.g. surname).
getent-dice database (where database is one of passwd, group,
netgroup) will produce a full list, although note that it does not
return information on system users or groups.
dice-user-info is a general utility for finding out contact
information for people in Informatics. It takes a single argument and
matches against name, location and telephone number.
All of these utilities have man pages.
Goodness – I’d quite forgotten .plan files!
I’ve just tried the commands, but I’m getting errors on bonnington. Maybe I need to reboot?
106 $ dice-user-info AT
{‘desc’: ‘Connect error’}
107 $ finger-dice Sterratt
{‘desc’: ‘Connect error’}
Hi David, that is strange … it works OK for me on bonnington. I’ll contact you offline, if you don’t mind helping me debug.
Thanks for this—it is really useful
Hi,
Is this command supposed to work?
`getent-dice netgroup –name=s1620208`
It doesn’t seem to be returning the list of netgroups associated with any given user.
Hi there,
That isn’t how getent-dice (or getent) is designed to work.
getent netgroup <netgroup>will return the members of <netgroup>, but not what netgroups any given user belongs to.
However getent-dice does support eumeration of netgroups (which getent doesn’t, even when sssd enumeration is on), so something like this would give you the information you want…
getent-dice netgroup|grep s1620208|cut -d’ ‘ -f1
Toby