On to, 06 syys 2018, Pieter Baele via FreeIPA-users wrote:
Hi,
I've one more application that doesn't behave very properly with FQDN users.
For LDAP, this is no longer a problem as we use AD directly for
applications now.
But this application uses PAM, so somehow I do need to present it a
shortname as described in
https://docs.pagure.org/sssd.sssd/design_pages/subdomain_configuration.html#test-short-names-for-trusted-domains
and https://docs.pagure.org/sssd.sssd/design_pages/shortnames.html
Adding use_fully_qualified_names = False indeed results in the possibility
of using <user> instead of <user>@<domain>
But the returned/displayed values are still <user>@<ad domain> or
<user>@<IPA domain>
I could resolve that with full_name_format = %1$s, but this breaks logon
for trusted AD users....
Which is confirmed on the sssd mailing by Jakub Hrozek
"Keep in mind that by default, the names will still come back qualified
from the child domains because that’s the only way to distinguish users
from different domains during a multi-step authentication process (e.g.
application receives a name to authenticate as, then calls getpwnam on that
input and uses the output of getpwnam from then on..). You /can/ tune the
full_name_format to only include the user name, but please be aware of the
consequences."
Or is there a configuration which is a solution for this issue?
Jakub gave you the answer. The client side is all in SSSD control.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
