Re: objectSid to uidNumber mapping

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: Sad Clouds <cryintothebluesky [at] gmail.com>, nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: objectSid to uidNumber mapping
Date: Sun, 01 Mar 2020 19:29:35 +0100

On Wed, 2020-02-12 at 15:21 +0000, Sad Clouds wrote:
> Does anyone know why nslcd requires you to specify the actual SID
> number:
> 
> map  passwd  uidNumber  objectSid:S-1-5-21-3623811015-3361044348-
> 30300820
> 
> This is rather awkward and seems to be completely unnecessary. SID
> numbers have a well defined format, so would it not be easier to
> retrieve this number and automatically convert it to Unix uidNumber,
> similar to what SSSD does?

This is currently needed for the translation of uids and gids when
performing a search. The SID is stored as a binary object in LDAP (AD)
and there is no way (that I know of) to only search for the last part
of the SID.

Perhaps SSSD does some inspection of the LDAP server and is able to
collect this. In any case I would welcome contributions (code and
ideas) on how this could be implemented.

Note that I don't have an AD server handy at the moment to test this
against.

Thanks.

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

objectSid to uidNumber mapping, Sad Clouds
- Re: objectSid to uidNumber mapping, Arthur de Jong

Prev by Date: objectSid to uidNumber mapping
Next by Date: ssh public key auth using pam_ldap
Previous by thread: objectSid to uidNumber mapping
Next by thread: ssh public key auth using pam_ldap