Re: a new library for ID mapping

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Jakub Hrozek <jhrozek [at] redhat.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: a new library for ID mapping
Date: Tue, 14 Feb 2012 22:11:38 +0100

On Sat, Feb 11, 2012 at 02:18:11PM +0100, Arthur de Jong wrote:
> On Thu, 2012-02-09 at 17:47 +0100, Jakub Hrozek wrote:
> > a new library to map Active Directory SIDs onto UNIX IDs was submitted to
> > the sssd-devel upstream mailing list today[1]. Currently we plan on using
> > it on both the server side (FreeIPA) and the client side (SSSD).
> > 
> > We were wondering if using this library would be beneficial to nss-pam-ldapd
> > especially in environments where some clients would run SSSD and some
> > would run nss-pam-ldap?
> > 
> > Would you accept a patch that would (perhaps based on configure flags)
> > enable using this library to for ID mapping in nss-pam-ldapd?
> 
> I've had a quick look and it looks interesting.
> 
> The nss-pam-ldapd 0.8 series already has some support for using the
> objectSid attribute for extracting the uidNumber (and gidNumber)
> attribute from.
> 
> The basics of the implementation can be found here:
>   http://lists.arthurdejong.org/nss-pam-ldapd-commits/2011/msg00067.html
> 
> The only difficulty we ran into was that extracting binary attributes
> from search results which doesn't work well with ldap_get_values():
>   http://lists.arthurdejong.org/nss-pam-ldapd-commits/2011/msg00128.html
> 
> Do you know what the main differences are? (I still haven't looked too
> deeply into sssd internals)
> 

Sorry for the late reply. Sumit, who is the author of the library, has
gone on paternity leave and I forgot to follow up.

Right now, I don't think there are many differences from the point of view
of a nss-pam-ldapd user. IIRC both take a range of allow ID and add the
RID to the lower boundary of the range. From a past conversation with
Sumit I recall he had planned to add a support for an ordered list of
non-overlapping ranges.

That said, I still think there might be value in providing this library
as an alternative for SID->ID mappings because the library might change
in the future and by using the same component on nss-pam-ldapd clients
and SSSD clients would guarantee compatibility (even bug-for-bug
compatibility).

Of course, I'm willing to actually do the work and write the patch :-)
Before I do so, I'd like to know whether the nss-pam-ldapd upstream would
consider this patch useful and accept it.
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

a new library for ID mapping, Jakub Hrozek
- Re: a new library for ID mapping, Arthur de Jong
  - Re: a new library for ID mapping, Jakub Hrozek

Prev by Date: Re: nslcd SASL bind fails
Next by Date: Re: a new library for ID mapping
Previous by thread: Re: a new library for ID mapping
Next by thread: Re: a new library for ID mapping