#2191 Add ipaNTTrustedDomainSID attribute to ipaNTTrustedDomain objectclass
Closed: Fixed None Opened 12 years ago by sbose.

We need two attributes in the ipaNTTrustedDomain objectclass to store different kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID of the trusted domain. A second attribute is needed to store the SID for the trusted domain user. Since it cannot be derived safely from other values and since it does not make sense to create a separate object for the user a new attribute is needed.

If makes sense to store the SID for the trusted domain user in ipaNTSecurityIdentifier and use a new attribute for the Domain-SID of the trusted domain, because then ipaNTSecurityIdentifier is only used for SIDs from the IPA domain and the DNA plugin (#1614) can be used to create the SID for the trusted domain user too.

Simo was already so kind to reserver the OID 2.16.840.1.113730.3.8.11.23 and the name ipaNTTrustedDomainSID for the new attribute.


Alexander, please add the attribute when you are working on #2189

This will be handled as part of #2189.

Added to main schema and updates. Will get posted together with whole set of trust patches.

Metadata Update from @sbose:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2012/02

7 years ago

Login to comment on this ticket.

Metadata