On Thu, Apr 28, 2016 at 06:31:20PM +0000, Sullivan, Daniel [AAA] wrote:
> Jakub,
> Thank you for your reply.  I did not know that the compat tree was
> populated from sssd; Do you have any experience and or recommendation on
> using the full_name_format variable of sssd.conf to manipulate how cn’s are
> populated in anchor records?  Basically I’m interested in trying to get
> IPA to provision anchor records for a trusted domain without the @f.d.q.n
> appended to usernames.  It seems like having a custom full_name_format
> (sssd.conf) possibly in conjunction with default_domain_suffix (sssd.conf)
> might achieve this (have already done some internal testing with partial
> results, running into some issues but interested in yours and the groups
> opinion on the viability of this).

It's not possible at the moment to change the output format of the sssd
on the server or the format of the entries in the compat tree. Several
pieces of the stack (including the extdom plugin that serves requests to
the sssd clients) rely on the name being qualified at least on the
server side to function properly.

What should be possible starting with 7.3 is to have the shortnames
in the output of SSSD clients with id_provider=ipa.

But I'm not sure legacy clients would work either with shortnames
because with the legacy clients, we typically treat the whole
qualified string as a "name":

services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+) <-------

the re_expression tells sssd that the whole input string, qualified or not
is a "name", there is no separate IPA and AD domain in these setups. This
is because with the legacy clients, those clients must use the "ldap"
id_provider pointed to the compat tree and the 'ldap' provider, unlike the
'ipa' or 'ad' providers has no notion of trusted domains internally.

So if you want to use shortnames on the output, I think the best bet is
to wait for sssd-1.14 (coming in RHEL-7.3) with the ipa provider.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to