#624 Enhance POSIX Winsync handling of uidNumber and gidNumber attributes
Opened 6 years ago by nkinder. Modified 2 years ago

FreeIPA would like us to enhance our POSIX Winsync functionality to have more control over the way uidNumber and gidNumber attributes are handled.

A) Ignore AD attributes and generate new ones (existing functionality)
B) Sync posix attributes from AD (what does winsync do when there are no
POSIX attributes in the entry?)
There should be sub options:
a) If there are no POSIX attributes ignore the user
b) If there are no POSIX attributes generate the uid/gid on the
DS/IPA side
c) If there are no POSIX attributes use SID to create the uid/gid
C) Ignore POSIX attributes that you have in AD and sync to IPA/DS doing
conversion of SIDs to uid/gid.

FreeIPA cares about B.c and C. Other cases are listed for completeness and can
help to define options properly.

There are already defined algorithms for generating uidNumber and gidNumber values from a SID. For details on the algorithm we should use, we should ask the FreeIPA development team.


A design proposal for this feature is located on the 389 wiki:

http://port389.org/wiki/Design/POSIX_Winsync_SID_Enhancements

FreeIPA has decided to go with a different solution here (using a custom plug-in that relies on SSSD vs. winsync). This enhancement is no longer needed, so I'm closing this ticket.

Reopening and deferring to FUTURE. This feature could still be valuable, even if the FreeIPA project is going to do something different.

Metadata Update from @nkinder:
- Issue set to the milestone: FUTURE

2 years ago

Login to comment on this ticket.

Metadata