#6293 [RFE] Set alternate primary group for AD trust users
Opened 2 years ago by orion. Modified 2 years ago

Currently all AD trust users have a primary group id equal to their user id. In some situations it is desired to have users' primary group be shared group. Perhaps the AD primary group functionality could be leveraged for this.


In the id-range objects the information if user private groups (UPGs) should be used with algorithmic mapping or not should be stored. If this should be done with a flag or with a new id-range type still has to be decided.

If the id-range is configured to not use UPGs the AD LDAP attribute primaryGroupID should be used to determine the primary group. This attribute is available in the PAC as well so it allows consistens setting of the primary group. Please note that the numerical value of the attribute is a RID and not a POSIX ID. So the group with the matching RID in the AD domain has to be lookup up to determine the POSIX GID of the primary group. But this matches what the AD UI does when setting the primary group.

Related SSSD ticket https://fedorahosted.org/sssd/ticket/3183

Metadata Update from @orion:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

2 years ago

Login to comment on this ticket.

Metadata