On Wed, 2016-08-24 at 11:02 +0200, Sumit Bose wrote: > On Wed, Aug 24, 2016 at 09:52:17AM +0200, Jakub Hrozek wrote: > > > > On Wed, Aug 24, 2016 at 07:39:54AM +0000, Joakim Tjernlund wrote: > > > > > > On Wed, 2016-08-24 at 09:14 +0200, Petr Spacek wrote: > > > > > > > > On 24.8.2016 09:03, Joakim Tjernlund wrote: > > > > > > > > > > > > > > > Getting to the of our AD domain migration but there is one step I > > > > > haven't solved. > > > > > Our users has UID/GID in the new domain while the already present > > > > > users in the new domain > > > > > does not. Assigning UID/GID to all users does not sit well with > > > > > upstream IT so I am > > > > > looking at what to do with these when they visit/access our site. > > > > > > > > > > What comes to mind is partial id_mapping, if a user had UID/GID in > > > > > the AD use that, otherwise > > > > > do id_mapping for that user(preferably the same way samba does it > > > > > since we already have a samba > > > > > based interim solution). > > > > > > > > > > I haven't found a way to do that in sssd, is there? > > > > > Maybe I am just full of it and this is really a bad idea? > > > > > > > > Are you using FreeIPA? FreeIPA got support for "ID Views" which can be > > > > used > > > > for this purpose. (I'm not very sure about pure-SSSD case.) > > It is also possible in the pure-SSSD case, see man sss_override for > details. > > > > > > > > > > > > I wish, but this is a Windows AD :( > > > > Petr had IPA-AD trusts in mind, I guess. > > > > Partial ID mapping is not possible, sorry. > > yes, SSSD cannot do this automatically because we can never be sure that > a UID/GID attribute will be added in future to a user who currently > does not have them set.
I see, but does not sssd refresh/check cached values against AD regularly? Or mark the non UID/GID user as do not cache? > > But sss_override might help you. Depending on whether new users created > in AD will have UID/GID set or not you can create overrides for the > existing users with or without them and then use ldap_id_mapping 'true' > or 'false' respectively. > > Since this is not a centrally managed solution you have to do this on > every host running SSSD and you have to load the overrides again each > time you remove the cache, see user-import and user-export in man > sss_override for details. Depending on the number of clients it might > make sense to introduce FreeIPA to have a centrally manages solution for > this. Ouch, this is not really manageable. Jocke _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
