RSS feed

Re: objectSid to uidNumber mapping

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: objectSid to uidNumber mapping

On Wed, 2020-02-12 at 15:21 +0000, Sad Clouds wrote:
> Does anyone know why nslcd requires you to specify the actual SID
> number:
> map  passwd  uidNumber  objectSid:S-1-5-21-3623811015-3361044348-
> 30300820
> This is rather awkward and seems to be completely unnecessary. SID
> numbers have a well defined format, so would it not be easier to
> retrieve this number and automatically convert it to Unix uidNumber,
> similar to what SSSD does?

This is currently needed for the translation of uids and gids when
performing a search. The SID is stored as a binary object in LDAP (AD)
and there is no way (that I know of) to only search for the last part
of the SID.

Perhaps SSSD does some inspection of the LDAP server and is able to
collect this. In any case I would welcome contributions (code and
ideas) on how this could be implemented.

Note that I don't have an AD server handy at the moment to test this


-- arthur - - --