#1356 Create diagram to explain name2sid/sid2name flow
Closed: Fixed None Opened 12 years ago by simo.

We need to document how we are going to make sid2name/name2sid resolutions from sssd all the way to Ad trusted domains through an IPA server.


Simo and I agreed on the following workflow. If we can agree on this I will create a diagram for http://freeipa.org/page/IPAv3_Architecture (Simo, which tool did you use here?) and create the necessary tickets for IPA and sssd.

Workflow:

If the PAC responder of sssd receives a PAC it will collect all group related SIDs and RIDs and check if they already can be found in the local cache.

For the SIDs that cannot be found in the local cache the responder will query the providers (with the help of a new method) to resolve the SID to a name.

The IPA provider will use a LDAP extended operation to ask the IPA server to resolve the SID.

The IPA server will check his local cache first before using RPC client code from samba libraries to connect to a DC of the corresponding corresponding domain. If the SID can be resolved the IPA server will store the result in a local cache and send it back to the client.

Sorry, I forgot, before calling the remote AD the IPA server will also check if there is a local mapping.

Metadata Update from @simo:
- Issue assigned to sbose
- Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2011/10

7 years ago

Login to comment on this ticket.

Metadata