Thanks ! To summary, I know now that I will definitlly need to maintain a DIT branch in my ldap server as an additional source of reference for sysaccounts if I want to be able to include them in centralized posixgroups ...
... I have tried (-: Thanks for your time ! --- Olivier 2012/3/14 Simo Sorce <[email protected]>: > On Wed, 2012-03-14 at 21:17 +0100, Olivier wrote: >> Ok, I see the logic now ( although I'm not completely >> convinced from a practical point of view to be honnest : >> a user name could be defined somewhere else, in a >> referal ldap for example. In that case, should it be an >> overall group consistency problem if a memberuid was >> uknown because a referal server is not accessible ? ). >> > memberuid cannot be resolved through a referral as it cannot contain a > DN :-) > however if you use the "member" attribute and rfc2307bis you could end > up chasing a referral that is temporarily broken. In that case you'd > have a resolution issue, not an "unknown" member. > > I am not sure how sssd would handle a referral problem in this case, > hopefully it would recognize the problem and just use a previously > cached value. If it is the first lookup it would have no choice but to > pretend the member did not exist until the next lookup. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
