ObjectSid to uid/gid vs sssd

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Zack Ramjan <zack.hr [at] gmail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: ObjectSid to uid/gid vs sssd
Date: Thu, 20 Aug 2015 13:56:51 -0400

We are using the objectSid:S-1-5-21-3623811015-3361044348-30300820 feature of 
nslcd to lookup against active directory. It correctly results in reasonable 
uid/gids. 
The issue we ran into is that to some of our servers are using sssd to fully 
join an AD domain, yet we need ids to be consistent. The way the two 
translate/generate uids/gids is slightly different.
example:

nslcd 
  zack: uid=1234
  bob:  uid=14567

sssd
  zack:  1351801234
  bob:   1351814567
(The same rule holds true for groups as well.)

 We can see the constant value of 1351800000 is being added on the SSSD side 
(derived from the domain part of the objectSID) with the last 5 digits beings 
the same as nslcd. 
To make this consistent we’ve added a config option to nslcd called 
“sid_conversion_offset” that will get added (and subtracted when going the 
other direction) to the value nslcd typically generates.
ex in nslcd.conf:
sid_conversion_offset 1351800000

produces results that match sssd, i.e.
  zack:  1351801234
  bob:   1351814567

another use case would be to ensure that everything in AD is above a certain 
cutoff. It was only a matter of a few loc to add this capability, Happy to 
share changes if interested, or if its too niche thats fine too.


Zack Ramjan





-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

ObjectSid to uid/gid vs sssd, Zack Ramjan

Prev by Date: Re: Expiration/grace warnings bug in nslcd/myldap.c
Next by Date: [PATCH] allow tls_randfile to be a file or a character device
Previous by thread: Re: Disable SASL
Next by thread: [PATCH] allow tls_randfile to be a file or a character device