[Freeipa-users] Quick question regarding modifying attributes
Alexander Bokovoy
abokovoy at redhat.com
Mon May 2 11:02:56 UTC 2016
On Mon, 02 May 2016, Sullivan, Daniel [AAA] wrote:
>Hi, Jakub,
>
>Thank you for taking the time to reply to my email. It is nice to know
>that short names will be possible in 7.3. Unfortunately this will not
>address the problem we are trying to resolve; to make a long story
>short we are working with a proprietary system called Isilon OneFS (a
>scale out NAS platform made by EMC); we are aggregating records from
>disparate authenticate sources into a single identity (the mapping
>engine is proprietary). The aggregation logic implemented matches
>based on username. So, we need the user (and group) names in their
>short representation served up via either LDAP or NIS, not just via
>SSSD.
>
>It sounds like with 7.3 it might be possible to do this if we implement
>a NIS server on a client running an SSSD client with id_provider=ipa.
>
>One of the things we are struggling with is enumerating every object
>(of either user or group class) of a foreign domain via querying IPA’s
>LDAP server. It is possible to explicitly query entries from remote
>domain from my IPA instance via LDAP by querying for
>username at f.q.d.n<mailto:username at f.q.d.n>, but it does not seem
>possible to query for all user objects in a foreign domain by doing
>something such as a wildcard search. If it is possible to enumerate
>all objects from a specific class from a foreign domain (i.e. force the
>generation of anchor records), we be interested in the methodology
>behind this.
I don't think it would be possible. That's a short answer and if you
want to discuss it, I'd hope someone from your team would be at SambaXP
next week where we could discuss it in more detail.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list