On Thu, May 28, 2015 at 01:31:27PM +0200, Pavel Reichl wrote: > > > On 05/28/2015 11:50 AM, Sumit Bose wrote: > >On Thu, May 28, 2015 at 11:30:34AM +0200, Jakub Hrozek wrote: > >>On Thu, May 28, 2015 at 11:23:23AM +0200, Pavel Reichl wrote: > >>> > >>>On 05/28/2015 10:34 AM, Jakub Hrozek wrote: > >>>>On Wed, May 27, 2015 at 08:00:44PM +0200, Pavel Reichl wrote: > >>>>>Hello, > >>>>> > >>>>>please see design page for simple - RFE: Do not always override home > >>>>>directory with subdomain_homedir value in server mode. > >>>>> > >>>>>https://fedorahosted.org/sssd/wiki/DesignDocs/use_AD_homedir > >>>>> > >>>>>************************************************************************** > >>>>>************************************************************************** > >>>>>************************************************************************** > >>>>> > >>>>>= Do not always override home directory with subdomain_homedir value in > >>>>>server mode = > >>>>> > >>>>>Related ticket(s): > >>>>> * https://fedorahosted.org/sssd/ticket/2583 > >>>>> > >>>>>=== Problem statement === > >>>>>Prior to sssd 1.12, we didn't have the ability to read home directory > >>>>>values > >>>>>from AD in AD-IPA trust setups at all. Instead, we always used the > >>>>>`subdomain_homedir` value. We can read custom LDAP values now, but in > >>>>>order > >>>>>to stay backwards-compatible, we kept using the `subdomain_homedir` > >>>>>value. > >>>>> > >>>>>=== Use cases === > >>>>>Users from AD with POSIX attributes want to use individually set value > >>>>>for > >>>>>home directory. > >>>>> > >>>>>=== Overview of the solution === > >>>>>`subdomain_homedir` for SSSD in server mode should support '%o' template > >>>>>expansion (The original home directory retrieved from the identity > >>>>>provider). In case when `subdomain_homedir` would be expanded to an empty > >>>>>string ('subdomain_homedir=%o' and AD user without POSIX attributes) SSSD > >>>>>should not error out but `fallback_homedir` should be utilized instead. > >>>>Are you proposing to change the default of subdomain_homedir from > >>>>/home/%d/%u > >>>>to /home/%o as well? I think we can do that in a major release if we > >>>>properly document the change, but I think then fallback_homedir in IPA > >>>>server mode should be changed to /home/%d/%u at the same time. > >>>No I'm not proposing such change. But I like it and I can add it do design > >>>page and implement it. > >>Let's discuss it on the meeting today (and then circle back to the list > >>so everything is recorded) > >As long as this only relates to SSSD in ipa-server-mode we can use the > >type of the idranges to switch the default of subdomain_homedir? > I am sorry I don't follow. Could you please elaborate on how we can switch > the default of subdomain_homedir based on type of the id ranges? Thanks!
Trusted AD domains basically can have either 'ipa-ad-trust-posix' or 'ipa-ad-trust' idrange types where the IDs are read from AD or are autogenerated respectively. If the range type is 'ipa-ad-trust-posix' we can assume the '%o' for subdomain_homedir and if it is 'ipa-ad-trust' we can use '/home/%d/%u'. With this we do not have to set subdomain_homedir or fallback_homedir in sssd.conf for new installations. bye, Sumit > > > >bye, > >Sumit > > > >>>I would do that in a separate patch so we can delay > >>>release of this change for a major release as you proposed. Does this work > >>>for you? > >>By major release I mean 1.13 :-) But yes, this should be a separate > >>change. > >>_______________________________________________ > >>sssd-devel mailing list > >>sssd-devel@lists.fedorahosted.org > >>https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > >_______________________________________________ > >sssd-devel mailing list > >sssd-devel@lists.fedorahosted.org > >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
