URL: https://github.com/SSSD/sssd/pull/21
Title: #21: IFP: expose user and group unique IDs through DBus

jhrozek commented:
"""
On Mon, Sep 19, 2016 at 02:49:21AM -0700, tequeter wrote:
> > > I considered using the gid provided by SSSD for that purpose (but it is 
> > > not
> > > guaranteed to be consistent on all computers, from sssd-ldap(5)/ID 
> > > MAPPING),
> > 
> > Could you quote please?
> 
> From sssd-ldap(5):
> > NOTE: It is possible to encounter collisions in the hash and subsequent 
> > modulus. In these situations, we will select the next available slice, but 
> > it may not be possible to reproduce the same exact set of slices on other 
> > machines (since the order that they are encountered will determine their 
> > slice). 
> 
> The customer will be performing authorization at application level by 
> matching the group identifiers to identifiers "well known" to the 
> application. Thus they must have a value guaranteed to be identical 
> everywhere.
> 
> In that regard GUIDs seem rock-solid, while hashed values sound more leaving 
> a ticking bomb behind me (new domains, mergers etc.)
> 
> As for ```user_attributes```: it's not available for groups, only for users. 
> It would have fit the bill perfectly otherwise.

I wonder if it was more systematic to implement "group_attributes".

And another question -- why did you choose GUIDs and not SIDs?

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/21#issuecomment-247958333
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to