[Freeipa-devel] [RFC] Migrating existing environments to Trust

Sumit Bose sbose at redhat.com
Thu Apr 17 15:20:33 UTC 2014 

On Thu, Apr 17, 2014 at 01:25:08PM +0300, Alexander Bokovoy wrote:
> On Thu, 17 Apr 2014, Sumit Bose wrote:
> >On Wed, Apr 16, 2014 at 09:02:00PM -0400, Dmitri Pal wrote:
> >>On 04/15/2014 05:13 AM, Sumit Bose wrote:
> >>>Hi,
> >>>
> 
> 
> >>>#* Shall we allow different UIDs/GIDs in different views?
> >>
> >>Yes.
> >
> >I hope the admin knows what he does in this case. I think it's similar
> >like with the user name, is there really a user-case for this with
> >cannot be solved better by creating a new user with the given UID? Think
> >about what happens if a host is moved to a new host group e.g. to change
> >the HBAC rules but by chance has now a different view with different
> >UIDs?
> Again, question is what purpose would such view serve? Given that only
> new SSSD version can resolve these views properly and a likely reason
> for deviating would be to present such a user somewhere on a legacy
> system, I see certain conflict of use case wishes.

It just came to my mind that it is even more complicated. Although the
use case is to provide UIDs and GIDs if they are not set in AD we have
to handle the case where they are set in AD. What if there are now two
different override views for this AD user one with one without a
override UID . In the case where a override UID is given imo the
override UID should be used. But I wonder what would be the right way if
e.g. there is only a shell attribute in the override view for the user?
Shall we assume that the user will have the UID set in AD and have
different UIDs in different views again or none at all, because there is
none given in the view?

I think the best way to solve this is to say that in all views the UID
will be the same. If the override UID is set the AD user will get this
UID.  If the override UID is not set then it depends on the AD settings.
If a UID is set in AD the user will get this one from AD if not he will
have none at all, which is fine for the web apps use-case.

If we can agree on this we should consider to modify the suggested LDAP
schema so that it is possible to e.g. have different shells and home
directories in different views but always the same UID/GID settings.

bye,
Sumit

More information about the Freeipa-devel mailing list