Hi, I've one more application that doesn't behave very properly with FQDN users. For LDAP, this is no longer a problem as we use AD directly for applications now. But this application uses PAM, so somehow I do need to present it a shortname as described in https://docs.pagure.org/sssd.sssd/design_pages/subdomain_configuration.html#test-short-names-for-trusted-domains and https://docs.pagure.org/sssd.sssd/design_pages/shortnames.html
Adding use_fully_qualified_names = False indeed results in the possibility of using <user> instead of <user>@<domain> But the returned/displayed values are still <user>@<ad domain> or <user>@<IPA domain> I could resolve that with full_name_format = %1$s, but this breaks logon for trusted AD users.... Which is confirmed on the sssd mailing by Jakub Hrozek "Keep in mind that by default, the names will still come back qualified from the child domains because that’s the only way to distinguish users from different domains during a multi-step authentication process (e.g. application receives a name to authenticate as, then calls getpwnam on that input and uses the output of getpwnam from then on..). You /can/ tune the full_name_format to only include the user name, but please be aware of the consequences." Or is there a configuration which is a solution for this issue?
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
