> Yes, sssd silos each identity domain completely, the only 'exception' is local > groups but that's almost an accident of how nsswitch worked historically.
Would you consider an RFE to add a "posix domain" group definition (or perhaps "global groups")? That way, group info brought in via individual domain declarations would be siloed (because it is assumed to have been defined upstream, where only the users from that domain are available), but there's at least the possibility of allowing central control over grouping the set of users available to the local machine. Frankly, with the exception of the attributes which describe the human (name, contact info, etc.) I don't have much use for upstream identity information, and I need to adapt it. Likewise, a "local domain override" option for identity information would be useful. (e.g., define an identity store in the global section, to be used by any domain with "override" in the id slot.) This indicates that mapping/overrides/collision resolution is handled at the domain level, while still allowing the individual specification of upstream authentication sources. I'm currently doing this with OpenLDAP's translucent proxy, but it sounds like the FreeIPA notion of views is heading in this same direction and will require the same support from sssd. For the moment, my need is small enough that I can implement a workaround with filesystem ACLs, but I intend to have bigger needs. This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
