id mapping, rfc2307 and real customer environments

[Alexander Bokovoy]

On Wed, 18 May 2016, Volker Lendecke wrote:
> On Tue, May 17, 2016 at 03:06:27PM -0700, Richard Sharpe wrote:
> > We have a customer environment where all the UNIX users are isolated
> > in a special domain, lets call it UNIX.EXAMPLE.COM. They also have
> > their Windows users scattered around domains like COAL.EXAMPLE.COM and
> > GAS.EXAMPLE.COM. Those users who have both UNIX and Windows accounts
> > have their RFC2307 attributes in UNIX.EXAMPLE.COM and attributes on
> > their account in their home domain that points to their account in the
> > UNIX.EXAMPLE.COM.
> > 
> > Sigh.
> > 
> > This means that during id mapping we would have to extract the
> > attribute that points to their UNIX.EXAMPLE.COM account from their
> > home domain, then lookup the uidNumber and whatever for that account
> > in the UNIX.EXAMPLE.COM account.
> > 
> > Even worse, users who do not have UNIX accounts do not have an entry
> > in UNIX.EXAMPLE.COM.
> > 
> > It would seem that the rfc2307 id mapping module is not going to be
> > able to deal with such a setup.
> 
> Correct. For the real unix-only users it *looks* as if it should work
> with the AD or rfc2307 modules. For the other users, with the special
> attributes pointing the mixed users at unix.example.com it looks like
> you need the idmap script backend using ldapsearch as the solution of
> last resort. The problem there are the windows-only users I guess. You
> might want to ask for a special range for them in your script and use
> a rid-backend like scheme to invent unix ids.
> 
> > Are there any alternatives or do we have to write our own id mapping module?
> 
> Well, idmap script is always there. Recently I've significantly tuned it
> by parallelizing the calls for large tokens. Together with a long idmap
> cache time it should be pretty usable. In particular the negative cache
> time is just two minutes by default, you might want to extend it.
> 
> > Can sssd work for this? Does it integrate well enough with Samba as a
> > member server?
> 
> Recently I've taken a closer look at sssd, but I did not find out yet how
> to really properly integrate those two in more complex environments. You
> should open a call with RedHat for deeper questions about this I guess.
SSSD allows to have multiple 'domains' in its configuration, each domain
representing one set of related resources. It is possible to make
separate configurations for rfc2307 and rid-based ranges associated with
different domains. As long as there will be no overlap between them in
terms of ID ranges, it should just work.

An alternative is by using FreeIPA and establish trust to AD forest
root. FreeIPA will then discover all domains and assign separate ID
ranges to each of them. The ranges could have different types and SSSD
on FreeIPA client will be able to discover them from IPA server and
follow them.
-- 
/ Alexander Bokovoy