Re: a new library for ID mapping
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: a new library for ID mapping
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Cc: sbose [at] redhat.com
- Subject: Re: a new library for ID mapping
- Date: Sat, 11 Feb 2012 14:18:11 +0100
On Thu, 2012-02-09 at 17:47 +0100, Jakub Hrozek wrote:
> a new library to map Active Directory SIDs onto UNIX IDs was submitted to
> the sssd-devel upstream mailing list today[1]. Currently we plan on using
> it on both the server side (FreeIPA) and the client side (SSSD).
>
> We were wondering if using this library would be beneficial to nss-pam-ldapd
> especially in environments where some clients would run SSSD and some
> would run nss-pam-ldap?
>
> Would you accept a patch that would (perhaps based on configure flags)
> enable using this library to for ID mapping in nss-pam-ldapd?
I've had a quick look and it looks interesting.
The nss-pam-ldapd 0.8 series already has some support for using the
objectSid attribute for extracting the uidNumber (and gidNumber)
attribute from.
The basics of the implementation can be found here:
http://lists.arthurdejong.org/nss-pam-ldapd-commits/2011/msg00067.html
The only difficulty we ran into was that extracting binary attributes
from search results which doesn't work well with ldap_get_values():
http://lists.arthurdejong.org/nss-pam-ldapd-commits/2011/msg00128.html
Do you know what the main differences are? (I still haven't looked too
deeply into sssd internals)
Thanks,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
