[Freeipa-devel] [RFC] Migrating existing environments to Trust
Simo Sorce
simo at redhat.com
Fri Apr 18 05:53:30 UTC 2014
On Thu, 2014-04-17 at 23:58 -0400, Dmitri Pal wrote:
> > yes, this can already be controlled by the idrange type. But you
> have to
> > choose either algorithmic or manual mapping you cannot have both in
> a
> > given domain. What you can do is to create a domain in the AD forest
> for
> > the old users and one for the new users. Now you can use manual
> mapping
> > for the old-users-domain and algorithmic mapping for the
> > new-users-domain.
>
> If this requires moving users between domains on AD side then this is
> a
> non starter.
> The more I read it the more I think that decision is wrong and it is
> bug.
>
What we can do is halfway, if an overlay view is activate for an AD
domain then in IPA we have options to automatically generate IDs for any
AD user (if the admin wants), these IDs get stored in the Ad overlaying
view.
>From the SSSD pov no algoritmic mapping is occurring as SSSD always
looks for the IDs in IPA.
Note that we have to do this anyway if you want to allow also legacy
clients to see the same ids, so it seem to me the best/only possible
way.
The only caveat is that it requires some development on the IPA side to
do this object creation, but it is not a lot of code as we can reuse DNA
for the actual ID allocation, we just need to create the entry in the
view.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list