URL: https://github.com/SSSD/sssd/pull/479 Author: jhrozek Title: #479: MAN: Document that auth and access IPA and AD providers rely on id_provider being set to the same type Action: opened
PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3547 The IPA and AD auth and access providers rely (often for performance reasons) on certain properties that are set during the user or group resolution with the same provider type. However, there are users who wish to combine different provider types, typically to use identities from local UNIX files but authenticate against a remote server. We should discourage that in our documentation But at the same time, I think flat our failing would be too harsh...I was also thinking about printing a DEBUG message during initialization, if the reviewer thinks this is a good idea, I'll do that as well. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/479/head:pr479 git checkout pr479
From 0c8441c21101e2af7b0a0fa536ac7f1468968a60 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Fri, 15 Dec 2017 17:52:20 +0100 Subject: [PATCH] MAN: Document that auth and access IPA and AD providers rely on id_provider being set to the same type Resolves: https://pagure.io/SSSD/sssd/issue/3547 The IPA and AD auth and access providers rely (often for performance reasons) on certain properties that are set during the user or group resolution with the same provider type. However, there are users who wish to combine different provider types, typically to use identities from local UNIX files but authenticate against a remote server. We should discourage that in our documentation (but at the same time, I think flat our failing would be too harsh..) --- src/man/sssd-ad.5.xml | 6 ++++++ src/man/sssd-ipa.5.xml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index c4a3fc2b5..2cb9cf3a9 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -75,6 +75,12 @@ sudo and autofs provider. No configuration of the access provider is required on the client side. </para> + <para> + Note that both auth and access AD providers rely on the + id_provider being set to "ad" as well. If you wish to use a + different id_provider, but authenticate against an AD server, + use auth_provider=krb5, + </para> <para> By default, the AD provider will map UID and GID values from the objectSID parameter in Active Directory. For details on this, see diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index d53d0c3c3..a28c51785 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -63,6 +63,12 @@ rules. Please refer to freeipa.org for more information about HBAC. No configuration of access provider is required on the client side. </para> + <para> + Note that both auth and access IPA providers rely on the + id_provider being set to "ipa" as well. If you wish to use a + different id_provider, but authenticate against an IPA server, + use auth_provider=krb5, + </para> <para> The IPA provider will use the PAC responder if the Kerberos tickets of users from trusted realms contain a PAC. To make configuration
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
