URL: https://github.com/SSSD/sssd/pull/21 Title: #21: IFP: expose user and group unique IDs through DBus
jhrozek commented: """ On Mon, Sep 19, 2016 at 02:49:21AM -0700, tequeter wrote: > > > I considered using the gid provided by SSSD for that purpose (but it is > > > not > > > guaranteed to be consistent on all computers, from sssd-ldap(5)/ID > > > MAPPING), > > > > Could you quote please? > > From sssd-ldap(5): > > NOTE: It is possible to encounter collisions in the hash and subsequent > > modulus. In these situations, we will select the next available slice, but > > it may not be possible to reproduce the same exact set of slices on other > > machines (since the order that they are encountered will determine their > > slice). > > The customer will be performing authorization at application level by > matching the group identifiers to identifiers "well known" to the > application. Thus they must have a value guaranteed to be identical > everywhere. > > In that regard GUIDs seem rock-solid, while hashed values sound more leaving > a ticking bomb behind me (new domains, mergers etc.) > > As for ```user_attributes```: it's not available for groups, only for users. > It would have fit the bill perfectly otherwise. I wonder if it was more systematic to implement "group_attributes". And another question -- why did you choose GUIDs and not SIDs? """ See the full comment at https://github.com/SSSD/sssd/pull/21#issuecomment-247958333
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
