We need two attributes in the ipaNTTrustedDomain objectclass to store different kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID of the trusted domain. A second attribute is needed to store the SID for the trusted domain user. Since it cannot be derived safely from other values and since it does not make sense to create a separate object for the user a new attribute is needed.
If makes sense to store the SID for the trusted domain user in ipaNTSecurityIdentifier and use a new attribute for the Domain-SID of the trusted domain, because then ipaNTSecurityIdentifier is only used for SIDs from the IPA domain and the DNA plugin (#1614) can be used to create the SID for the trusted domain user too.
Simo was already so kind to reserver the OID 2.16.840.1.113730.3.8.11.23 and the name ipaNTTrustedDomainSID for the new attribute.
Alexander, please add the attribute when you are working on #2189
This will be handled as part of #2189.
Added to main schema and updates. Will get posted together with whole set of trust patches.
master: b32204f
Metadata Update from @sbose: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2012/02
Login to comment on this ticket.