[Freeipa-devel] [RFC] Migrating existing environments to Trust

Alexander Bokovoy abokovoy at redhat.com
Thu Apr 17 15:39:12 UTC 2014

On Thu, 17 Apr 2014, Sumit Bose wrote:
>On Thu, Apr 17, 2014 at 01:25:08PM +0300, Alexander Bokovoy wrote:
>> On Thu, 17 Apr 2014, Sumit Bose wrote:
>> >On Wed, Apr 16, 2014 at 09:02:00PM -0400, Dmitri Pal wrote:
>> >>On 04/15/2014 05:13 AM, Sumit Bose wrote:
>> >>>Hi,
>> >>>
>> >>>#* Shall we allow different UIDs/GIDs in different views?
>> >>
>> >>Yes.
>> >
>> >I hope the admin knows what he does in this case. I think it's similar
>> >like with the user name, is there really a user-case for this with
>> >cannot be solved better by creating a new user with the given UID? Think
>> >about what happens if a host is moved to a new host group e.g. to change
>> >the HBAC rules but by chance has now a different view with different
>> >UIDs?
>> Again, question is what purpose would such view serve? Given that only
>> new SSSD version can resolve these views properly and a likely reason
>> for deviating would be to present such a user somewhere on a legacy
>> system, I see certain conflict of use case wishes.
>It just came to my mind that it is even more complicated. Although the
>use case is to provide UIDs and GIDs if they are not set in AD we have
>to handle the case where they are set in AD. What if there are now two
>different override views for this AD user one with one without a
>override UID . In the case where a override UID is given imo the
>override UID should be used. But I wonder what would be the right way if
>e.g. there is only a shell attribute in the override view for the user?
>Shall we assume that the user will have the UID set in AD and have
>different UIDs in different views again or none at all, because there is
>none given in the view?
>I think the best way to solve this is to say that in all views the UID
>will be the same. If the override UID is set the AD user will get this
>UID.  If the override UID is not set then it depends on the AD settings.
>If a UID is set in AD the user will get this one from AD if not he will
>have none at all, which is fine for the web apps use-case.

>If we can agree on this we should consider to modify the suggested LDAP
>schema so that it is possible to e.g. have different shells and home
>directories in different views but always the same UID/GID settings.

/ Alexander Bokovoy

More information about the Freeipa-devel mailing list