Re: a new library for ID mapping
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: a new library for ID mapping
- From: Jakub Hrozek <jhrozek [at] redhat.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: a new library for ID mapping
- Date: Tue, 14 Feb 2012 22:11:38 +0100
On Sat, Feb 11, 2012 at 02:18:11PM +0100, Arthur de Jong wrote:
> On Thu, 2012-02-09 at 17:47 +0100, Jakub Hrozek wrote:
> > a new library to map Active Directory SIDs onto UNIX IDs was submitted to
> > the sssd-devel upstream mailing list today[1]. Currently we plan on using
> > it on both the server side (FreeIPA) and the client side (SSSD).
> >
> > We were wondering if using this library would be beneficial to nss-pam-ldapd
> > especially in environments where some clients would run SSSD and some
> > would run nss-pam-ldap?
> >
> > Would you accept a patch that would (perhaps based on configure flags)
> > enable using this library to for ID mapping in nss-pam-ldapd?
>
> I've had a quick look and it looks interesting.
>
> The nss-pam-ldapd 0.8 series already has some support for using the
> objectSid attribute for extracting the uidNumber (and gidNumber)
> attribute from.
>
> The basics of the implementation can be found here:
> http://lists.arthurdejong.org/nss-pam-ldapd-commits/2011/msg00067.html
>
> The only difficulty we ran into was that extracting binary attributes
> from search results which doesn't work well with ldap_get_values():
> http://lists.arthurdejong.org/nss-pam-ldapd-commits/2011/msg00128.html
>
> Do you know what the main differences are? (I still haven't looked too
> deeply into sssd internals)
>
Sorry for the late reply. Sumit, who is the author of the library, has
gone on paternity leave and I forgot to follow up.
Right now, I don't think there are many differences from the point of view
of a nss-pam-ldapd user. IIRC both take a range of allow ID and add the
RID to the lower boundary of the range. From a past conversation with
Sumit I recall he had planned to add a support for an ordered list of
non-overlapping ranges.
That said, I still think there might be value in providing this library
as an alternative for SID->ID mappings because the library might change
in the future and by using the same component on nss-pam-ldapd clients
and SSSD clients would guarantee compatibility (even bug-for-bug
compatibility).
Of course, I'm willing to actually do the work and write the patch :-)
Before I do so, I'd like to know whether the nss-pam-ldapd upstream would
consider this patch useful and accept it.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/