NIX Enumeration Issues


Enumeration is the "root of all evil" when you have a large database. Enumeration means that an application examines all the entries in a database, one entry at a time.

FYI: An application that calls setpwent/getpwent() or setgrent/getgrent() is an application that enumerates. When an application calls one of these APIs, LDAP-UX Client Services products must request all the posixAccount or posixGroup entries from the LDAP directory in order to satisfy the request. If your LDAP directory contains 70,000 posixAccount entries and you have an application that calls setpwent/getpwent() every 10 minutes, then the application will be downloading all 70,000 entries through your network every 10 minutes!

Eliminating applications that do enumeration will greatly improve performance of your systems and reduce network bandwidth requirements. An LDAP directory cannot increase performance of applications that enumerate. However, an LDAP directory can give applications new options, eliminating the need for enumeration. Here is an example: Suppose an application wants to display all the users that have blank passwords. For this program to work, it must examine every passwd entry checking to see if the user's password is a null string. It repeatedly calls getpwent() until it reaches the end of the password file.

If this passwd database contains one million users, this requires excessive CPU and network resources. But an LDAP search request could perform this task in one operation, and quickly (in this example, the userPassword attribute should be "indexed" as described in the previous section.) Here is a simplified command to perform the above request: ldapsearch -b baseDN (&(objectclass=posixaccount)(userpassword="")) dn

Common Enumerators#

The best way to improve performance of applications that do enumeration is to rewrite or eliminate them if possible. Below is a list of common offenders:
  • finger, enumerates the entire password list to find the requested user.
  • initgroups(), a procedure called by login and groups, enumerates all groups, to determine which groups the user belongs to. On an HP-UX 10.20 NIS client, the initgroups() procedure does not attempt to determine what groups the user is a member of. However, on 11.00 NIS client, this command executes a "ypall" request, which enumerates all groups. On an 11.00 native LDAP client, this command uses a proper LDAP search, thus avoiding enumeration.
  • disug, enumerates the entire password list to find the user names.
  • quota, enumerates the entire password list when told to generate a report.

Timeouts and Maximum Number of Replies#

To prevent users from consuming all the resources of an LDAP directory, most directory products allow the Directory Administrator to configure limitations on responses to directory search requests. As an example, if a user requests all the data in the database, the directory server may be configured to return at most 1,000 entries. These limitations are primarily made available to help prevent "denial of service" attacks, preventing a malicious user from consuming all the LDAP server resources, making them unavailable to other users.

However, these limitations may adversely affect normal application operation. Again applications that enumerate are the source of most of the difficulties. Eliminating or rewriting applications that enumerate will likely remove the timeout and maximum number of replies limitations. However, if this cannot be done, and you have a large database, you will need to adjust your directory configuration parameters as follows:

Maximum Number of Replies#

If an LDAP directory is configured to return at most 1,000 entries for a search request, but a database has 10,000 Posix accounts, then an application that needs to display all 10,000 will think it has completed it's task after only 1,000 entries. The side effects of this obviously depend on the goal of the application.


Another configuration limitation is the time spent serving a request. Although this limit may be harder to encounter, the results are the same as described above. If a maximum time limit is set for a search request, then it is possible that an application enumerating the entries in the database may terminate prematurely. Timeouts can occur on both the server and client side.

More Information#

There might be more information for this subject on one of the following: