RSS feed

Re: a new library for ID mapping

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: a new library for ID mapping

On Sat, Feb 11, 2012 at 02:18:11PM +0100, Arthur de Jong wrote:
> On Thu, 2012-02-09 at 17:47 +0100, Jakub Hrozek wrote:
> > a new library to map Active Directory SIDs onto UNIX IDs was submitted to
> > the sssd-devel upstream mailing list today[1]. Currently we plan on using
> > it on both the server side (FreeIPA) and the client side (SSSD).
> > 
> > We were wondering if using this library would be beneficial to nss-pam-ldapd
> > especially in environments where some clients would run SSSD and some
> > would run nss-pam-ldap?
> > 
> > Would you accept a patch that would (perhaps based on configure flags)
> > enable using this library to for ID mapping in nss-pam-ldapd?
> I've had a quick look and it looks interesting.
> The nss-pam-ldapd 0.8 series already has some support for using the
> objectSid attribute for extracting the uidNumber (and gidNumber)
> attribute from.
> The basics of the implementation can be found here:
> The only difficulty we ran into was that extracting binary attributes
> from search results which doesn't work well with ldap_get_values():
> Do you know what the main differences are? (I still haven't looked too
> deeply into sssd internals)

Sorry for the late reply. Sumit, who is the author of the library, has
gone on paternity leave and I forgot to follow up.

Right now, I don't think there are many differences from the point of view
of a nss-pam-ldapd user. IIRC both take a range of allow ID and add the
RID to the lower boundary of the range. From a past conversation with
Sumit I recall he had planned to add a support for an ordered list of
non-overlapping ranges.

That said, I still think there might be value in providing this library
as an alternative for SID->ID mappings because the library might change
in the future and by using the same component on nss-pam-ldapd clients
and SSSD clients would guarantee compatibility (even bug-for-bug

Of course, I'm willing to actually do the work and write the patch :-)
Before I do so, I'd like to know whether the nss-pam-ldapd upstream would
consider this patch useful and accept it.
To unsubscribe send an email to or see