On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote: > On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote: > > On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote: > > > On 24.8.2016 09:03, Joakim Tjernlund wrote: > > > > > > > > Getting to the of our AD domain migration but there is one step I > > > > haven't solved. > > > > Our users has UID/GID in the new domain while the already present users > > > > in the new domain > > > > does not. Assigning UID/GID to all users does not sit well with > > > > upstream IT so I amĀ > > > > looking at what to do with these when they visit/access our site. > > > > > > > > What comes to mind is partial id_mapping, if a user had UID/GID in the > > > > AD use that, otherwise > > > > do id_mapping for that user(preferably the same way samba does it since > > > > we already have a samba > > > > based interim solution). > > > > > > > > I haven't found a way to do that in sssd, is there? > > > > Maybe I am just full of it and this is really a bad idea? > > > > > > Are you using FreeIPA? FreeIPA got support for "ID Views" which can be > > > used > > > for this purpose. (I'm not very sure about pure-SSSD case.)
It is also possible in the pure-SSSD case, see man sss_override for details. > > > > I wish, but this is a Windows AD :( > > Petr had IPA-AD trusts in mind, I guess. > > Partial ID mapping is not possible, sorry. yes, SSSD cannot do this automatically because we can never be sure that a UID/GID attribute will be added in future to a user who currently does not have them set. But sss_override might help you. Depending on whether new users created in AD will have UID/GID set or not you can create overrides for the existing users with or without them and then use ldap_id_mapping 'true' or 'false' respectively. Since this is not a centrally managed solution you have to do this on every host running SSSD and you have to load the overrides again each time you remove the cache, see user-import and user-export in man sss_override for details. Depending on the number of clients it might make sense to introduce FreeIPA to have a centrally manages solution for this. bye, Sumit > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
