Learn more about these different git repos.
Other Git URLs
In Active Directory with no Identity Management for Unix Role Service enabled there is no uid attribute available but the user id could be constructed from objectSid. This is what winbind's idmap_rid(8) and nss-pam-ldapd do:
http://www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html [[BR]] http://lists.arthurdejong.org/nss-pam-ldapd-users/2011/msg00213.html [[BR]] http://arthurdejong.org/viewvc/nss-pam-ldapd?view=revision&revision=1425
It would make using SSSD against AD easier if something like this would be available in SSSD, too.
Fields changed
milestone: NEEDS_TRIAGE => SSSD Deferred
There was a patch proposal sent to the sssd-devel mailing which illustrates the idea and maps uids like Winbind/idmap_rid do:
https://fedorahosted.org/pipermail/sssd-devel/2011-September/007081.html
There was some initial resistance to this but it would seem that there are no fundamental issues with this approach after all, see the thread starting at:
https://fedorahosted.org/pipermail/sssd-devel/2011-November/007621.html
Of course, the patch needs improvements, these items have come up so far:
milestone: SSSD Deferred => NEEDS_TRIAGE type: defect => enhancement version: 1.6.1 => master
We will get back to this when we implement the native winbind data provider. After we will re-evaluate this patch. We need to be sure that we have a consistent solution. It is a bit premature at the moment.
milestone: NEEDS_TRIAGE => SSSD 1.8.0 priority: major => minor
milestone: SSSD 1.8.0 => SSSD 1.8 AD Integration NEEDS TRIAGE
component: SSSD => LDAP Provider milestone: SSSD 1.8 AD Integration NEEDS TRIAGE => SSSD 1.8.0 owner: somebody => sgallagh
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=768168 768168]
blockedby: => blocking: => milestone: SSSD 1.8.0 => SSSD 1.9.0 NEEDS_TRIAGE
milestone: SSSD 1.9.0 NEEDS_TRIAGE => SSSD 1.9.0 priority: minor => critical
milestone: SSSD 1.9.0 => SSSD 1.9 AD Integration
feature_milestone: => milestone: SSSD AD Trust Feature => SSSD AD Extensions Feature
Our plan for this feature is as follows:
We will introduce a configuration option for AD, which will choose between: 1. SSSD will look for RFC2307bis ID attributes and will ignore any entries that are not populated (This is the current behavior and the default). 1. SSSD will ignore RFC2307bis ID attributes and instead will always construct them from the objectSID attribute, using the {{{autorid}}} id-mapping backend, taken from Samba.
We will use autorid with one enhancement (to be submitted to Samba upstream as well). In the event that the domain sid hashes to a value that is already in use, we will use the next available slot in the domain ranges.
cc: => swalter@redhat.com status: new => assigned
Replying to [comment:11 sgallagh]:
Our plan for this feature is as follows: We will introduce a configuration option for AD, which will choose between: 1. SSSD will look for RFC2307bis ID attributes and will ignore any entries that are not populated (This is the current behavior and the default).
We will introduce a configuration option for AD, which will choose between: 1. SSSD will look for RFC2307bis ID attributes and will ignore any entries that are not populated (This is the current behavior and the default).
On this point we may need to lookup this info from the global catalog instead of the normal LDAP tree in order to get info for the whole forest.
patch: 0 => 1
milestone: SSSD AD Extensions Feature => SSSD 1.9.0 beta 1
Fixed by:
resolution: => fixed status: assigned => closed
One additional fix for endianness issues: - 9fd2775
Metadata Update from @myllynen: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.9.0 beta 1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2038
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.