+ .. highlight:: none

+ 

+ Hybrid Private Groups for LDAP and AD domains

+ =============================================

+ 

+ Related ticket(s):

+ ------------------

+     https://pagure.io/SSSD/sssd/issue/3822

+ 

+ Problem statement

+ -----------------

+ This change will augment the ``auto_private_groups`` option which currently

+ is a boolean option with a third mode that would, for users who do have

+ the ``gidNumber`` attribute set return the original group, but for users who

+ have no ``gidNumber,`` autogenerate a user-private group.

+ 

+ Use cases

+ ---------

+ This change is mostly useful for backwards compatibility in environments that

+ used to manually set a ``gidNumber`` and need to retain the same primary

+ GID number, but for newly added user, autogenerate the user private group

+ from the ``uidNumber.`` Please see the "How to test" section for an example.

+ 

+ Overview of the solution

+ ------------------------

+ Internally, this hybrid domain would work as a MPG domain, so as if

+ ``auto_private_groups`` was set true. The difference would be when

+ returning the entries. In the hybrid model, if the user being returned

+ had an original GID, this original GID would be used. Otherwise, a primary

+ group generated from the UID would be returned.

+ 

+ Care must be taken in the getgrnam and getgrgid calls to not return the

+ autogenerated group if requested for a user who also has the originalGID set.

+ 

+ Implementation details

+ ----------------------

+ As said above, for the most part, the hybrid domain would work in a similar

+ manner as a domain that had ``auto_private_groups=true`` set in the config

+ file.  This means, that the ``uidNumber`` and ``gidNumber`` attributes in

+ the sysdb cache are always set to the same value, but in case the original

+ entry in LDAP did have a gidNumber stored, that original value is also

+ stored in the cache using the ``origPrimaryGroupGidNumber`` attribute.

+ The purpose of this attribute is to be able to return the original

+ primary GID as a supplemetary group so that any resources owned by this

+ ID are still accessible to the user.

+ 

+ We will take advantage of this attribute when returning the user object

+ during ``getpwnam`` (keep in mind that ``struct passwd``  that the

+ ``getpwnam`` call returns also contains the primary GID number), initgroups

+ and also for a special case during the ``getgrgid`` and ``getgrnam`` calls.

+ 

+ During the getpwnam call, the code will check whether the user being returned

+ has the ``origPrimaryGroupGidNumber`` or not. If it does, its value would

+ be returned as the GID number, otherwise the ``gidNumber`` attribute would

+ be used. A similar logic will be implemented in the initgroups call, with

+ the additional caveat that if the ``origPrimaryGroupGidNumber`` exists,

+ it wouldn't be returned as another secondary group.

+ 

+ For group requests in a domain where the user private groups are completely

+ managed, SSSD would search the whole combined user and group space and

+ return group objects based on user objects in the cache. The hybrid domain

+ must behave a little differently here.  When a request for a user-private

+ group comes, the ``getgr*`` call in a hybrid domain should first try

+ to search group objects only. If there is no match, then also the user

+ objects need to be searched, but only those user objects that have no

+ ``origPrimaryGroupGidNumber`` set can be returned as a private groups.

+ Reusing the example above, ``getgrnam("hybriduser")`` would return a group

+ object inferred from the user object, but ``getgrnam("posixuser")`` would

+ not return anything.

+ 

+ Configuration changes

+ ---------------------

+ Since we are adding a new option value to the existing

+ ``auto_private_groups`` call, the option must internally be converted from

+ boolean to a string with three possible values. We would retain ``true``

+ and ``false`` for backwards compatibility but add a third option value

+ ``hybrid.``

+ 

+ How To Test

+ -----------

+ Considering these two partial LDIFs::

+ 

+     cn=posixuser,dc=example,dc=com

+     uidNumber: 1234

+     gidNumber: 5678

+     cn: posixuser

+     gecos: posix user

+     homeDirectory: /home/posixuser

+     loginShell: /bin/sh

+ 

+     cn=hybriduser,dc=example,dc=com

+     uidNumber: 2345

+     cn: hybriduser

+     # note: no gidNumber attribute

+     gecos: hybrid user

+     homeDirectory: /home/hybriduser

+     loginShell: /bin/sh

+ 

+ The getpwnam output for these two users would be::

+ 

+     $ getent passwd posixuser

+     posixuser:*:1234:5678:posix user:/home/posixuser:/bin/sh

+     $ getent passwd hybriduser

+     hybriduser:*:2345:2345:hybrid user:/home/hybriduser:/bin/sh

+ 

+ Authors

+ -------

+  * Jakub Hrozek <jhrozek@redhat.com>

+    hybrid_private_groups