Title: #21: IFP: expose user and group unique IDs through DBus
On Mon, Sep 19, 2016 at 02:49:21AM -0700, tequeter wrote:
> > > I considered using the gid provided by SSSD for that purpose (but it is
> > > not
> > > guaranteed to be consistent on all computers, from sssd-ldap(5)/ID
> > > MAPPING),
> > Could you quote please?
> From sssd-ldap(5):
> > NOTE: It is possible to encounter collisions in the hash and subsequent
> > modulus. In these situations, we will select the next available slice, but
> > it may not be possible to reproduce the same exact set of slices on other
> > machines (since the order that they are encountered will determine their
> > slice).
> The customer will be performing authorization at application level by
> matching the group identifiers to identifiers "well known" to the
> application. Thus they must have a value guaranteed to be identical
> In that regard GUIDs seem rock-solid, while hashed values sound more leaving
> a ticking bomb behind me (new domains, mergers etc.)
> As for ```user_attributes```: it's not available for groups, only for users.
> It would have fit the bill perfectly otherwise.
I wonder if it was more systematic to implement "group_attributes".
And another question -- why did you choose GUIDs and not SIDs?
See the full comment at
sssd-devel mailing list -- email@example.com
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org