#3649 Add ID range discovery based on remote AD LDAP server probing
Closed: Fixed None Opened 10 years ago by abbra.

We need to identify cases when POSIX IDs are already assigned in Active Directory and create appropriate id ranges for them instead of always using algorithmic RID approach in SSSD.

The purpose of this ticket is to make a fast discovery algorithm that would try to identify whether POSIX attributes are in use, what is POSIX id base, and what is probable range size. The code should be plugged into 'ipa trust-add' to allow creating id range with correct properties from start.

Please note that this code will need to access AD Global Catalog service which implies authentication. Such authentication should be done using kerberos ticket with MS-PAC attached, or trusted account like we currently do. MS-PAC is not currently attached to HTTP/fqdn or host/fqdn tickets and we cannot use user's ticket due to fact that our KDC does not allow wide open S42Proxy relay to other domain for HTTP/fqdn.

Once we start assigning MS-PAC to host/fqdn (or HTTP/fqdn), they can be used for authentication against AD GC.

This ticket is part of trusted domains work for 3.3


Rename "trusts" component to "Trusts" to achieve correct sorting.

Moving to next month bucket.

This is a 3.3 Trust effort sub-ticket - set rhbz to 0.

Moving open tickets to next month bucket.

Metadata Update from @abbra:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.3 - 2013/07

7 years ago

Login to comment on this ticket.

Metadata