URL: https://github.com/SSSD/sssd/pull/21
Title: #21: IFP: expose user and group unique IDs through DBus

tequeter commented:
> > I considered using the gid provided by SSSD for that purpose (but it is not
> > guaranteed to be consistent on all computers, from sssd-ldap(5)/ID MAPPING),
> Could you quote please?

From sssd-ldap(5):
> NOTE: It is possible to encounter collisions in the hash and subsequent 
> modulus. In these situations, we will select the next available slice, but it 
> may not be possible to reproduce the same exact set of slices on other 
> machines (since the order that they are encountered will determine their 
> slice). 

The customer will be performing authorization at application level by matching 
the group identifiers to identifiers "well known" to the application. Thus they 
must have a value guaranteed to be identical everywhere.

In that regard GUIDs seem rock-solid, while hashed values sound more leaving a 
ticking bomb behind me (new domains, mergers etc.)

As for ```user_attributes```: it's not available for groups, only for users. It 
would have fit the bill perfectly otherwise.

See the full comment at 
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to